Designing Information System for Private Network using RBAC, FGAC and Micro service Architecture

Microservice architecture is used in developingenterprise-level applications with the intent to modularisedeployment of the application, this happens by creating anapplication as a collection of var-ious smaller applications knownas microservices. An Information system is one such applicationthat is ever-growing and therefore needs an architectural solutionthat addresses this issue. While microservice architecture addressesthis issue by giving low coupling among microservices, futurescalability of the system, and convenience in developing, deploying,and integrating new microservices.For all it‘s benefits, microservicearchitecture complicates the consistent implementation of securitypolicies in this distributed system. Current industry standards are touse protocols that delegate the process of authentication andauthorization to a third-party server, e.g. OAuth. Delegating theseprocesses to be handled by the third party is not suitable for someweb applications that are deployed in a less resourcefulenvironment, e.g. organization with high internet downtime or anorganization with high traffic of non working personnel e.g. peoplegiving exams in college or workshops being held. This paper aimsto research proposed solutions, existing frameworks, andtechnologies to implement security policies in an Informationsystem which can be suitable for the above two scenarios.For this,we use authentication, Role-based access control (RBAC) on everyrequest, and Fine-grained access control (FGAC) on theimplementation method level, to achieve greater access control andflex-ibility of adding new microservice without changing wholesecurity policies. We have also proposed a pre-registrationcondition in our system, which allows only certain people, whosedata is already present in the system, to register themselves with theapplication. We also discuss the scenario where using a protocollike OAuth is not suitable. The solution is based on creating acentral single entry point for authentication and implementing anRBAC policy that will filter every request based on access roles thatthe requesting user has. We further use FGAC on method level inmicroservices to enforce n even finer restrictions on resources to beaccessed based on requirements. This solution will be implementedas apart of the Department Information System (DIS) in thefollowing two-step: