README

A simple framework for implementing ABAC in your application.

Rules

Rules implement business logic, the input for rule execution consists of:

• source: The actor, usually the current user
• target: The subject, the entity that the actor wishes to act upon
• permission: The action the actor wishes to take
• environment: The environment should contain anything else the business rules may need

Rules are encouraged to do recursive access check. A typical rule could be WriteImpliesRead, since for most systems when you can write an object you can also read it. Implementation could look like this:

public function execute(
    object $source,
    object $target,
    string $permission,
    Environment $environment,
    AccessChecker $accessChecker
): bool {
    return $permission === 'read' && $accessChecker->check($source, $target, 'write');
}

Environment

Consider a rule that allows access only during office hours. The current time should then be set in the environment. Reasoning behind this is that having 1 location for the environment allows for easy testing as well as a single source of truth.

Infinite loops

Rules can contain infinite loops, we track recursion depth to detect these loops.

External links

• What Is Attribute-Based Access Control (ABAC)? - by Keith Casey
• Attribute-based access control on Wikipedia