ABAC best practices
Use UDFs to implement the principle of least privilege
When considering database and application security, the principle of least privilege should guide your planning. Fauna’s attribute-based access control (ABAC) can help you ensure that your user identities and user-defined functions all have the minimum access necessary to perform their jobs.
When you create a new
function (UDF) with the
CreateFunction function, you can specify
a role in the
role field. A UDF with an assigned role runs with the
privileges of the specified role. A UDF with no role attached to it runs
with the same privileges as the identity that invoked it, which is fine
in some cases, but the security policy for an application is clearer
when every UDF has an associated role.
A UDF with an assigned role cannot perform any actions which exceed the privileges of the assigned role. For example, a UDF which is designed to perform a write operation but which has an assigned role without write privileges fails upon execution.
It is important to note, however, that an identity assigned to a role with
limited privileges can execute any UDF with an assigned role that grants
call privilege, even if the actions performed by the UDF exceed
the privileges assigned to the identity’s role.
When you create an API key with the
role field specifies the level of access privilege for
the key. You can specify one of the four
built-in roles or a custom
Use caution when creating keys with the
The better practice is to create custom roles with appropriate access privileges and make sure that all API keys you create have the minimum level of access necessary for the identity to perform the required actions.
Authentication in Fauna can be either anonymous, with
API keys, or identity-based with the
Limit the scope of operations used in ABAC role predicates wherever possible. ABAC roles are evaluated for every query, which can impact overall performance.
While ABAC roles can be used to filter out documents that should not be readable by the current client, such filtering can involve evaluating every document in a collection. Instead, use indexes for filtering.
Is this article helpful?
Tell Fauna how the article can be improved:
Visit Fauna's forums or email firstname.lastname@example.org
Thank you for your feedback!