Here we go again... The idea for this article has been brewing in my mind for a long time. The problem of access control isn't new, nor are the tools that solve it. Speaking of Go - I've seen quite a variety...
In modern management systems, access to resources is a critical security component. As a system grows, the number of users increases, and the organizational structure becomes more complex, there is a need for a flexible and reliable access control mechanism. Traditional approaches, such as hardcoded permission checks or simple role systems, often prove insufficient for complex business requirements.
This is where Casbin comes to help - an open-source library that allows implementing complex access policies without complicating business logic code. The series will consist of two articles, and in the first part, as usual, we'll look at everything from a theoretical perspective. We'll discuss types of access control, models and their capabilities, functions, and much more.
I want to note that the result of this series will be an open-source abstraction over Casbin in Go (RBAC). Why? The answer is quite simple - Casbin's capabilities are quite extensive, but everything needs to be written manually. Moreover, the out-of-the-box functionality covers (as far as my experience allows me to claim) about 90+% of what's needed for any SaaS system.
As I mentioned - the idea came up quite a while ago, but the opportunity to try writing a wrapper over Casbin came about six months ago when the startup I work for needed a rather flexible access control system. At the same time, there was a requirement for the structure - three levels were conceived, which depend on each other:
And my colleague, Herman, (huge thanks to him for the work done!) implemented all the necessary requirements, and it worked amazingly well! For obvious reasons, I can't share that code here, but I decided that we could create a certain wrapper based on what Herman did. Moreover, give developers the ability to implement the model they need with their specific requirements! We'll only look at RBAC though.
Each type of access control has its advantages and limitations that should be considered when designing a security system. Let's examine the main approaches to access control and their features in modern systems to better understand which approach best suits specific cases.
A system where the resource owner determines access rights. For example, Google Docs, where the document author decides who has access.
Pros: intuitive, flexible settings, quick rights management, delegation capability, minimal administrator overhead
Cons: risks from incorrect permission granting, difficult propagation control, possibility of overly broad permissions, lack of centralization
A system where access rights are determined centrally based on security levels. Used in government and military systems, where documents have security classifications (top secret, secret, confidential), and users have clearance levels.
Pros: high security, clear hierarchy, minimal data leakage, centralized management, easy implementation in government structures
Cons: low flexibility, complex administration, high costs, possible delays, limited scalability
A system where users are assigned roles, and roles are assigned sets of access rights. The most common approach in corporate systems and web applications, where access rights are determined through user roles.