Resource-Based Authorization

2 min read Application Security

Resource-Based Authorization

Resource-based authorization makes access decisions based on the specific resource being accessed rather than just user roles or attributes. This approach is essential for applications where users have different permissions for different resources, such as document management systems or project collaboration tools.

# Python example of resource-based authorization
from typing import List, Optional
from dataclasses import dataclass
from enum import Enum

class Permission(Enum):
    READ = "read"
    WRITE = "write"
    DELETE = "delete"
    SHARE = "share"

@dataclass
class ResourcePermission:
    user_id: str
    resource_id: str
    permissions: List[Permission]

class ResourceAuthorizationService:
    def __init__(self, permission_store):
        self.permission_store = permission_store
    
    def check_permission(self, user_id: str, resource_id: str, required_permission: Permission) -> bool:
        # Check direct permissions
        user_permissions = self.permission_store.get_permissions(user_id, resource_id)
        if required_permission in user_permissions:
            return True
        
        # Check inherited permissions (e.g., from parent folders)
        parent_id = self.get_parent_resource(resource_id)
        if parent_id:
            return self.check_permission(user_id, parent_id, required_permission)
        
        # Check group permissions
        user_groups = self.get_user_groups(user_id)
        for group in user_groups:
            group_permissions = self.permission_store.get_permissions(group, resource_id)
            if required_permission in group_permissions:
                return True
        
        return False
    
    def grant_permission(self, user_id: str, resource_id: str, permissions: List[Permission]):
        self.permission_store.add_permissions(user_id, resource_id, permissions)
    
    def share_resource(self, owner_id: str, resource_id: str, target_user_id: str, permissions: List[Permission]):
        # Verify owner has share permission
        if not self.check_permission(owner_id, resource_id, Permission.SHARE):
            raise PermissionError("User lacks permission to share this resource")
        
        # Grant permissions to target user
        self.grant_permission(target_user_id, resource_id, permissions)

Hierarchical resource structures require special consideration in authorization systems. Permissions might inherit from parent resources, or child resources might have more restrictive permissions. Implement clear inheritance rules and provide mechanisms to override inherited permissions when needed. Consider performance implications of traversing hierarchies during authorization checks.

Resource ownership adds another dimension to authorization. Owners typically have full control over their resources, including the ability to grant permissions to others. Implement ownership transfer mechanisms and consider what happens to permissions when ownership changes. Some systems maintain permission grants across ownership changes, while others revoke them for security.