Do you have any questions or comments on doing the practical parts of this quiz? (Feel free to comment anything else.)

Follow the instruction at the course web page:

Then, give your resulting policy for the image sharing web app, satisfying the following simple policies:

1. Any user can see public images.
2. Any user can view and delete their own images.
3. The admin can delete public images of any user.
4. Users under the age of 18 (or guests) should not see images marked explicit.

What does PARC mean? Select from the following google results the option whose meaning is most related to Cedar and authorization.

All this talk about these role-based versus attribute-based stuff is confusing. I quite like the "Cedar Design Pattern" approach of mapping the rules into the following classes (and what distinguishes them is the type of additional information they rely on):

1. Membership permission

   . These cover classic role-based permissions. The rule relies on a group membership relation (who belongs in which group) that is defined externally.

2. Relationship permissions. The main example here is document ownership. This kind of rule relies on an application-level relation between resources and principals.
3. Discretionary permissions. These are ad-hoc rules created that a principal can access a concrete resource. This kind of rule does not rely on any outside data; all the information is stated in the rule.

Then, attributes can be used to implement these rules and augment with specific capabilities. Select what kind of permissions are used in the rules expressed below; some of these require membership information about the principal as well as relationships between resources and the groups.

As you hopefully recall, broken access control was at the top of the OWASP Top 10. An authorization framework is not a magic bullet, e.g., you may still leave resources with Insecure Direct Object Reference and broken access control also includes to code injection and low-level code vulnerabilities.

But there are benefits to using a framework like Cedar, which is part of a more pro-active approach to security. If we consider the OWASP recommendations for pro-active controls, "C1: Implement Access Control", which of the recommendation does using a language like Cedar contribute to?