These came up in a security training at work this week. PDP is of how decisions are made in code to determine who can do what. This could be whether or not someone is anonymous or logged in with the one God password in a very elementary application, but "Role-based Access Control" is the common pattern, marinated in roles, that we tend to see. PEP is the definition for how policy is enforced. The two common-shapes, assuming we are probably doing the roles thing, are Programmatically in which we just have if/then logic in code saying things like "yes, you may go forward, but only if you have this role" and Declarative in which the roles themselves are in charge. It's harder for me to squint my eyes and picture how this second thing works. I guess the power of the role is in its record at its row in the database, perhaps holding bit values for a bunch of flags??? I don't really know.
No comments:
Post a Comment