ABAC best practices

Use UDFs to implement the principle of least privilege

When considering database and application security, the principle of least privilege should guide your planning. Fauna’s attribute-based access control (ABAC) can help you ensure that your user identities and user-defined functions all have the minimum access necessary to perform their jobs.

When you create a new user-defined function (UDF) with the CreateFunction function, you can specify a role in the role field. A UDF with an assigned role runs with the privileges of the specified role. A UDF with no role attached to it runs with the same privileges as the identity that invoked it, which is fine in some cases, but the security policy for an application is clearer when every UDF has an associated role.

A UDF with an assigned role cannot perform any actions which exceed the privileges of the assigned role. For example, a UDF which is designed to perform a write operation but which has an assigned role without write privileges fails upon execution.

It is important to note, however, that an identity assigned to a role with limited privileges can execute any UDF with an assigned role that grants the call privilege, even if the actions performed by the UDF exceed the privileges assigned to the identity’s role.

When you create an API key with the CreateKey function, the role field specifies the level of access privilege for the key. You can specify one of the four built-in roles or a custom role.

Use caution when creating keys with the admin role. Any identity that uses a key with the admin role has the highest level of access, with the ability to create, modify, and delete all schema documents contained in the associated database, including child databases, collections, documents, keys, etc.

The better practice is to create custom roles with appropriate access privileges and make sure that all API keys you create have the minimum level of access necessary for the identity to perform the required actions.

Examples

Authentication in Fauna can be either anonymous, with API keys, or identity-based with the Login function.

Performance considerations

  • Limit the scope of operations used in ABAC role predicates wherever possible. ABAC roles are evaluated for every query, which can impact overall performance.

  • While ABAC roles can be used to filter out documents that should not be readable by the current client, such filtering can involve evaluating every document in a collection. Instead, use indexes for filtering.

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!