Building dynamic ABAC authorization for banking

In the banking industry, data security and access control are of paramount importance.

Traditional role-based access control (RBAC) mechanisms often fall short in providing the fine-grained control required to manage access to sensitive financial data. Attribute-based access control (ABAC) is a more flexible approach, allowing access decisions based on dynamic attributes.

In this technical blog post, we explore how to implement a dynamic ABAC authorization system for the banking industry using Hasura's powerful GraphQL engine.

Understanding attribute-based access control (ABAC)

ABAC is an access control model that grants or denies access to resources based on the attributes of the user, the resource, and the environment. It allows for a more sophisticated access control system that considers multiple attributes in the decision-making process. For the banking industry, where access to financial data should be tightly controlled, ABAC is an ideal choice.

Step 1: Define the data model
Before implementing ABAC, we need to define the data model for the banking application. This includes defining entities such as Customers, Accounts, Transactions, and other relevant entities. Additionally, we should identify the attributes that will be used to make access control decisions, such as customer type, account type, transaction amount, location, and more.

Step 2: Integrate Hasura's GraphQL Engine
Next, we integrate Hasura's GraphQL Engine into our banking application. Hasura makes it easy to set up a GraphQL API by automatically generating a schema based on the underlying data sources. By leveraging Hasura's powerful data modeling capabilities, we can establish relationships between entities and set up custom resolvers to compute derived attributes that will be used in our ABAC policies.

Step 3: Implementing dynamic ABAC authorization
To build dynamic ABAC authorization, we need to define our access control policies using GraphQL permissions. Hasura provides a declarative way to specify these policies, which allows us to create rules based on various attributes and conditions.

For example, we can create policies like:

  1. Allow customers to view their own account details.
  2. Allow bank employees to view and modify customer data but only for customers in the same branch.
  3. Allow managers to perform high-value transactions but only during business hours.

These policies can be written in the Hasura Console or defined in configuration files as per our preference.

Step 4: Leveraging external data sources
In the banking industry, access control decisions often rely on data from external sources such as customer credit scores, risk assessments, or regulatory compliance checks. Hasura allows us to connect to these external data sources through Remote Schemas or Remote Joins. This way, we can enrich our access control decisions with data from third-party systems, making our authorization system more robust.

Step 5: Testing and auditing
After implementing the dynamic ABAC authorization system, thorough testing is crucial. We should verify that access control policies are working as expected, allowing or denying access based on the specified attributes and conditions. Additionally, we should perform security audits to ensure no loopholes exist in our system and that unauthorized access attempts are appropriately logged and flagged for further investigation.

Demo

Let's consider a simplified example where we have a banking application that allows customers and bank employees to access account information, and managers to perform high-value transactions.

1. Customer Role
Can view their own account details.
Cannot access other customers' account details.

2. Bank Employee Role
Can view and modify customer data but only for customers in the same branch.
Cannot access customer data from other branches.

3. Manager Role
Can perform high-value transactions but only during business hours.
Cannot perform transactions outside business hours.

Architecture

  1. Frontend: The user interface through which customers, bank employees, and managers interact with the banking application.
  2. Hasura GraphQL API Gateway: Acts as a single entry point for all GraphQL requests. It handles incoming queries and mutations, and based on the user roles, permissions, and rules defined, it routes the requests to the respective microservices.
  3. Microservice 1 (customer data): This microservice is responsible for managing customer-related data, such as customer profiles, accounts, and account details.
  4. Microservice 2 (transaction): This microservice handles high-value transactions and related functionalities.
  5. Databases: Two separate databases are used to store data for customers and transactions. These databases can be different types, such as SQL or NoSQL databases, depending on the requirements.

ABAC authorization workflow:

1. A user sends a request from the frontend to the Hasura GraphQL API Gateway.

2. The API Gateway receives the request and checks the user's role and permissions based on the defined ABAC policies.

3. If the user is authorized, the API Gateway routes the request to the appropriate microservice.

4. The microservice processes the request, retrieves or modifies the data from the respective database, and sends the response back to the API Gateway.

5. The API Gateway forwards the response to the frontend, completing the user's request.

In this example demo, we have demonstrated how to implement dynamic ABAC authorization for a banking application using Hasura's GraphQL engine. By defining fine-grained access control policies based on dynamic attributes and roles, we can ensure the security and privacy of sensitive financial data in the banking industry.

The architecture diagram illustrates the flow of requests and data between the frontend, Hasura API Gateway, and microservices, highlighting the flexibility and control provided by Hasura's powerful features.

Conclusion

In the banking industry, ensuring secure access to sensitive financial data is of utmost importance. By implementing a dynamic ABAC authorization system with Hasura's GraphQL Engine, we can create a flexible and powerful access control mechanism.

The ability to define fine-grained access control policies based on dynamic attributes provides the necessary security measures required in the banking industry. By leveraging Hasura's capabilities, we can build a robust and efficient authorization system that meets the stringent security standards of the banking sector.

Sign up now for Hasura Cloud to get started!

Blog
10 Aug, 2023
Email
Subscribe to stay up-to-date on all things Hasura. One newsletter, once a month.
Loading...
v3-pattern
Accelerate development and data access with radically reduced complexity.