Authorization using Drools rule engine

Authorization, one of the most important part of the system. It is the gatekeeper of any application, who is allowed to enter and what are the tasks a user is allowed to perform.

Problem

The story starts in a product-based organization, which is looking to have a layer that controls the data to be viewed by different types of users and also the actions all these different users can perform. The layer is under high stress as it has to manage the security of the system (tough job) and also has to manage the experience of the user who is going to use the application. To add more complexity, the layer needs to be highly scalable as there are no limits to the permissions and the layers needs to be configurable as every business is different, so no rules at two different installations will be the same.

So how did we solve this problem?

Let us welcome — Drools Decision Table (The rule engine)
https://docs.jboss.org/drools/release/5.2.0.Final/drools-expert-docs/html/ch06.html

Drools is in the top 5 list of rule engines available for Java. It lets you write rules. If you go by their documentation, they give an example of a marketing guy lifting off some work from a developer’s shoulder by adjusting the values for an application in an excel file.

Drools (Decision table) checked on some important points which are crucial for any organization—
1. Scalability — It allowed any number of rows to be added to the excel file which was later converted to .drl file
2. Customizability — This point is crucial for any product company. Drools allows to add new custom functions and manage all the rules using an excel file.

Let's cover some basics before moving forward —

What is a rule?
Simple Answer — A when and then condition. If this matches, then do that.

What is a rule engine?
A rule engine is a tool that maintains all the rules and is given the job to run all the rules in the most effective way.

Drools lets you add multiple columns depicting multiple conditions and their corresponding actions. We started adding all the multiple permissions we had in the system against all the API’s we had in our application. The users were assigned permissions according to their role and when any user used any API, the rule engine was invoked with all the permissions available with the user and matched against all the rules present in the engine. Any match will allow the user to access the system and failure to get a match will throw an unauthorized exception.

This RBAC (Role based access control) did the job well until it was time to expand it to ABAC (Attribute based access control) where new columns were added depicting new actions to be performed on a successful match. On a successful match, the action column will define the level of access of this user.

The layer solved and is still solving multiple needs just by adding multiple columns and rows in an excel file.