Role based access to resources for a RESTful service

Posted by mutex on Programmers See other posts from Programmers or by mutex
Published on 2013-10-23T04:19:55Z Indexed on 2013/10/23 10:15 UTC
Read the original article Hit count: 190

Filed under:
|
|

I'm still wrapping my head around REST, but I wonder if someone can help with any suggestions or approaches to role based access control for a RESTful service, particularly from the point of view of securing the data and how the URLs might look. It's probably best to consider an example:

Say I have a REST service for Customers, and want to split the users of this REST service into Admin, Editor and Reader roles:

  • Admins can change all attributes of a Customer resource
  • Editors can change only some
  • Readers can only view them.

Access control rights are assigned to the Customers entities individually. So for example a user of the service might have admin rights to Customers 1,2 and 3 but Editor access to 4,5 and Reader access to 7,8,9.

Now consider the user calling the service. What is a good way to seperate the list of Customers for the current User?

GET /Customer - this might get a list of all customers that the current user has Admin\Editor\Reader access to. But then on each Customer the consumer would need an indication of what role they have.

Or would it be "better" having something like

GET /Customer/Admin - return all customers the current user has Admin access to.

Just looking for some high level pointers or reading on a decent way to secure\filter the resources based on roles of the current user.

© Programmers or respective owner

Related posts about architecture

Related posts about web-services