Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Access Control

3:21 with Kenneth Love

One of the first steps for security is making sure that only authorized people can access appropriate areas in your app and database.

Access Control List and Role-based Access Control on Wikipedia are great places for a more thorough explanation.

  • 0:00

    Outside of hashing, encryption and general privacy,

  • 0:03

    it's best to think about who has access to what pieces of your data.

  • 0:06

    It seems like a really easy topic, but

  • 0:08

    it's one that often requires a lot more thought than you might have expected.

  • 0:11

    Let's start at the beginning, you have users and

  • 0:13

    they have accounts that they can log into, but how do they do that logging in?

  • 0:17

    This process, known as authentication, can have a lot of different implementations.

  • 0:21

    It could be done through a standard log in form,

  • 0:22

    where they enter a user name or e-mail address and a password.

  • 0:25

    They can be logging in through a third-party site, like Facebook or Octa.

  • 0:29

    Or maybe you authenticate users against an internal service,

  • 0:31

    like LDAP, which allows for an internal collection of user names and

  • 0:34

    passwords, like you might find on a LAN or intranet.

  • 0:37

    This is a good place to talk about two factor authentication.

  • 0:40

    You've probably heard of this, and likely even used it.

  • 0:42

    But if you haven't, here's the general idea.

  • 0:44

    You log into a service with your username and password.

  • 0:46

    That service then expects a time sensitive code from you, that you get through either

  • 0:50

    a code generator, like Google's authenticator app, or by SMS.

  • 0:54

    There's an old adage about authentication that should require three things.

  • 0:57

    Something you are, something you have and something you know.

  • 1:00

    Two factor auth covers as you might expect, two of these things.

  • 1:03

    There's something you know, is your password.

  • 1:05

    There's something you have, is your phone or

  • 1:07

    device that gives you the two factor auth code.

  • 1:09

    If you get your code from your phone and your phone requires a finger print

  • 1:12

    to access it, that could fulfill the third requirement something you are.

  • 1:15

    There are also modern devices like UB key that uses a bio-metric print

  • 1:20

    like your thumb print to generate a two factor off code,

  • 1:22

    some systems even use other bio-metric items like voice or

  • 1:25

    face recognition too but the security of these systems is still in flex.

  • 1:29

    Okay, so there are authenticated, logged in.

  • 1:32

    Now comes the second consideration in this arena, authorization.

  • 1:35

    Now that you know who the user is, what are they allowed to do and see?

  • 1:39

    For example, once you log into your Google account,

  • 1:41

    you're only allowed to see the documents you have created in Google Docs or

  • 1:44

    those that have been explicitly shared with you.

  • 1:47

    Two modern solutions to this are database based access control lists,

  • 1:50

    or ACLs, and role based access control, or RBAC.

  • 1:54

    These two systems assign users different access levels or roles, and then based on

  • 1:59

    the level or role, determine if the user can access a given object or area.

  • 2:03

    Roles simply define access in a way that lets you assign one or

  • 2:06

    more roles to a specific user.

  • 2:07

    This allows you to control access for

  • 2:09

    groups or teams in a more organized way, rather than having to explicitly define

  • 2:13

    every single thing an individual needs to access.

  • 2:16

    When working with OAuth authentication services, the authorization information

  • 2:20

    that you receive about a particular user is expressed as a set of claims.

  • 2:23

    A claim can be a role these are belongs to, a resource they can access, or

  • 2:27

    an action they can perform.

  • 2:29

    Probably the most common ACL that most people encounter is the granting of

  • 2:32

    privileges and a database like Postgrass or MySQL.

  • 2:36

    You grant read, write, or both accesses to particular user or

  • 2:39

    role on a particular table, tables, or databases,

  • 2:42

    ensuring that your database users only have privileges on tables that they need

  • 2:46

    access to, is one of the first steps you can take on ensuring that data.

  • 2:50

    Obviously the implementation of such a system is beyond the scope of this course

  • 2:54

    but their common components and many modern day frameworks and CMSs.

  • 2:57

    Using and enforcing SCL and RBAC systems, helps to minimize

  • 3:01

    the damage that can happen when a single account is compromised.

  • 3:04

    If the account doesn't have access to all of your data and

  • 3:06

    really what account should?

  • 3:07

    The damage done should be constrained to just what the compromised account has

  • 3:10

    access to, if you're using such a system, be sure to do an audit

  • 3:14

    of your user accounts, roles, and what each has access to.

  • 3:17

    It's rare that any one account should have total and

  • 3:19

    complete access to all of your data.

You need to sign up for Treehouse in order to download course files.

Sign up