undefined | Better HN

0 pointstannerc13y ago0 comments

What are possible reasons per-password permissions hasn't been a feature implemented by major websites yet?

Is it simply that the way they do it now is easier to create/manage?

Seems like a no-brainer.

0 comments

The AWS Identity and Access Management (IAM) system [1] is perhaps the most comprehensive RBAC deployment I've encountered in a web-based service. It's extremely powerful, extremely flexible, and rather hard to use. AWS is a service designed (primarily) for developer-types, so if they roll out something that requires users to have a relatively strong understanding of security concepts (and to expend some thought and effort to get things right), that's arguably OK.

Google is a different story. People commenting on this thread would appreciate some in-depth manual controls over the resources each Google credential can access, but making this sort of thing accessible/understandable to an average user is a formidable challenge.

They might be able to get part of the way there using a something like a TOFU (Trust on First Use) policy - e.g. after you create an ASP and use it to login over XMPP, that ASP would only be usable for XMPP logins for the remainder of its existence. However, this might still confuse some users or break some assumptions here and there (e.g. what if you have a client application that's designed to do both email and chat?)

Besides all this, I wouldn't be surprised if Google would have to do some major backend re-architecting for this sort of thing to even be possible...

[1] https://aws.amazon.com/iam/

r00fus13y ago

Per-password permissions are basically the RBAC design pattern [1], which at it's core requires 3 tables with 2 N:N joins in a relational mapping structure (the wikipedia article lays out 4 classes/tables).

That's a lot of complexity compared to a simple session-authenticated validation.

[1] http://en.wikipedia.org/wiki/Role-based_access_control

j / k navigate · click thread line to collapse