Idea: Add permissions grouping

[berney]

I think it would be useful to have an intermediate mapping of permissions, that is a level between roles and requests. For example, in an app with many roles, with many permissions per role, where a requests is either permitted or denied based on a permission, it could be helpful to be able to group requests into permissions.

What I'm imagining is being able to add headings to the list of requests, and being able to collapse a heading. This may make navigating the list of requests easier.

It may also be handy to be able to configure the permissions assigned to roles.

[mickayz]

Thank you for the suggestion. Right now I think my concern with this strategy is that it would be too easy to create an incomplete configuration for the attack target.

For example, lets say there is a target with 3 users (employee, manager, admin) and 3 permissions (read, write, execute). By separating roles and permissions, it might now be harder to understand what the access matrix of this target should like like. For instance, perhaps the manager user should should have all permissions on assets owned by employees and themselves, and admin users will require write and read an every asset. It gets tricky pretty quickly.

For now, I think the best solution is to be more granular in your role definitions. In this case, Roles might be ReadEmployees, WriteEmployees, ExecuteEmployees, ReadManagers, WriteManagers, ExecuteManagers, etc. To test against cross-user, I would add Roles such as ReadEmployee1, WriteEmployee1, etc. I would then make sure I created enough users (naming them Employee1, Manager1, etc) so that all authorization cases that need to be tested are covered.

I will certainly keep thinking about this problem, but right now I think the easiest way as far as complexity for the user is to require expanding out permissions into unique roles. If at a later point I can think of a more elegant solution, I will add to AuthMatrix.

-Mick

[berney]

Thanks for the food for thought mickayz