A simple framework for implementing ABAC in your application.
Rules implement business logic, the input for rule execution consists of:
- source: The actor, usually the current user
- target: The subject, the entity that the actor wishes to act upon
- permission: The action the actor wishes to take
- environment: The environment should contain anything else the business rules may need
Rules are encouraged to do recursive access check. A typical rule could be WriteImpliesRead
, since for most systems when you can write an object you can also read it.
Implementation could look like this:
public function execute(
object $source,
object $target,
string $permission,
Environment $environment,
AccessChecker $accessChecker
): bool {
return $permission === 'read' && $accessChecker->check($source, $target, 'write');
}
Consider a rule that allows access only during office hours. The current time should then be set in the environment. Reasoning behind this is that having 1 location for the environment allows for easy testing as well as a single source of truth.
Rules can contain infinite loops, we track recursion depth to detect these loops.