Attributes can be about anything and anyone. They tend to fall into 4 different categories:
- Subject attributes: attributes that describe the user attempting the access e.g. age, clearance, department, role, job title...
- Action attributes: attributes that describe the action being attempted e.g. read, delete, view, approve...
- Object attributes: attributes that describe the object (or resource) being accessed e.g. the object type (medical record, bank account...), the department, the classification or sensitivity, the location...
- Contextual (environment) attributes: attributes that deal with time, location or dynamic aspects of the access control scenario[7]
AccessControl~IAccessInfo:Object inner
An interface that defines an access information to be granted or denied. When you start a method chain with
AccessControl#grantor AccessControl#deny methods, you're actually building this object which will eventually be committed to the underlying grants model.
- action
possession- resource
- subject
- rules
AccessControl~IQueryInfo:Object inner
An interface that defines an access information to be queried. When you start a method chain with
AccessControl#Canmethod, you're actually building this query object which will be used to check the access permissions.
- action
possession- resource
- subject
- context
type ContextType interface {
Value(key interface{}) interface{}
}passed in IQueryInfo so that the context of a query action can be processed when Judging rules
for example, you can implement this interface with map type, and return value of the map with given key
type DemoContext map[string]interface{}
func(c DemoContext)Value(key interface{})interface{}{
if c!=nil{
return c[key.(string)]
}else{
return ""
}
}