Reduce your permissions management time while effectively protecting your users, it's possible! (Project Feedback)


Authors:   Marine du Mesnil


In 2019, users of the Ameli, the french welfare website, could read other users' messages and attachments containing confidential information by trivially changing a parameter in the URL. Unfortunately, this flaw is much more common than we think and access control has been listed as the Top 1 flaw by OWASP.Historically, developers manage permissions directly in code and the product team is not always well aware of the conditions which leads to flaws in access control. It is also one of the most complex vulnerabilities to manage and it is easy for a developer to forget a condition in their API and open up access to sensitive data to anyone.On a fund management site using django-admin, we needed very fine-grained management of vertical (permission levels) and horizontal (compartmentalisation between users) permissions with a need for some administrators to manage their own teams independently.We were able to implement an extremely easy-to-use and manageable system using both Django's internal permissions management and a SaaS: Okta.During this talk, I will cover the following topics:- Vertical and Horizontal Permissions using a django-admin example- Adding a SaaS for login and permissions- The pros and cons of OktaAt the end of this talk, you will know the best practices for implementing and using permissions with django-admin example. You will also understand the pros and cons of using a SaaS to outsource permissions management and simplify it for your administrators.