ABAC authorization model


#1

I’m pretty new to metabase and it is really impressive.
I’ve seen that the security model is based on group membership that does not fit well in use case where data visibility maps with hierarchical organizations.
As an example, consider sales departement where each member can see his own results while dept manager who can see everything
From a physical model point of view, segregation could be achieved creating different views (one per user and one for the departement) or multiple extra where conditions to append to each query to proper filter data.
ABAC authz model could help a lot because with a simple (!) mapping between view name and hierarchy it is possible to build a resource namespace where access control can be effective.
Is there any plan to adopt such a model ?


#2

I personally wasn’t aware of the ABAC term - so thanks for sharing. I think the concept maps to a solution currently being implemented where I work.

Part of what the Metabase core team use for prioritizing is :+1: votes on GitHub issues. Here’s issues tagged Permissions and ordered by votes:

As you can see both row level and column level access control are being considered. The example you give sounds mostly like something that could be handled with row based access control.

Being new to ABAC I’m curious if it would “just” be a matter of mapping to e.g. group membership in LDAP - so effectively delegating the extra “magic sauce” to a solution external to Metabase that could maintain such group memberships based on attributes put on users or if you can share something more specific about what technical addition Metabase would need?

To me it sounds like a concept you want to externalise instead of implement handling of in each and every application like Metabase - so forgive my ingnorance :blush:


#3

First thank you for paying attention to my post.
To have just an idea, you can check Keycloak.
I have read the discussion you linked and what I think is that both row level and column level access control map with the concept of dataset a user is granted access to.
With a RDBMS a dataset can be easily implemented with a view, with other DB technologies can be implemented with some sort of filtering added under the covers but the security resource is always the dataset.
So the security question is: can I access a dataset ?
The most flexible answer AFAIK is the ABAC model


#4

Here you can get an idea on how the access to a dataset can be controlled.
https://www.keycloak.org/docs/latest/authorization_services/index.html#examples-2

with a proper resource naming scheme reflecting the hierarchical organization of a company and the possibility to get attributes (i.e. the department) of the users, a rule-based policy can easily provide an elegant solution to complex authz requirements