Code 401: Class 08 - Access Control

---

Questions

1. When is Basic Auth and Bearer Auth used? Basic authentication uses user name and a secret while Bearer uses a token. Bearer authentication is more secure.

2. What does the JWT package do? JWT is an open source bearer token system for user authentication.

3. Considerations for making and storing a secret? Never store un encrypted secrets in .git repositories. Place sensitive files in .gitignore. Default to minimum permissions for API’s. Create and use time stamped secrets that have a predetermined expiration. Don’t share secrets via messaging services.

Vocabulary

Encryption Method of converting information into a secret code

Token More secure form of authentication compared to a password

Bearer Clinet that holds a valid token

Secret Information known only to the two parties exchanging data

JSON Web Token Open source bearer token setup that involves a token with head.payload.signature, the signature verifies the content is received unchanged

Watch: RBAC Tutorial

• Role Based Access Control access privileges based on the role of individual
• User -> Role -> Rights
• Begin with user authentication, then activate appropriate role, then provide appropriate access
• Implement least privilege concept, minimum access needed to fulfil a role

Read: 5 Steps to RBAC

• 81% of hacking breaches involved compromised credentials
• Other forms of RBAC: ACL (Access control lists) and Attribute-based access control (ABAC)
• 5 Steps to implementing RBAC
  • Inventory systems determine which systems need to have controlled access
  • Analyze your workforce and create roles minimum number of roles as possible to serve all users
  • Assign people to roles
  • Never make one-off changes change roles as necessary not individual user permissions
  • Audit periodically review role definitions and access rights

Read: Wiki - RBAC

• RBAC can be used to secure organizations with hundreds of users and thousands of permissions
• A single person would not be allowed to perform opposing roles such as oth creating a login account and authorizing account creatino

---

Return to reading-notes Deployed Site

Return to reading-notes Mark Down