The Guide
Explain It Like I'm 5Information SecurityAccessability

Permissions

What's the purpose of permissions?

Purpose

Permissions are meant to enforce controls on any identity actions (Yes, even your own computer has it's own user identity - and not just one) and that's how we make sure that no one would be able to do something they're not supposed to (permissions extend all the way to your hardware, even your application has it's own set of permissions on the operating system and system memory)

Different Implementations Of Permission Management

Same Foundation

At the end of the day, all permission (access control) mechanisms do the same job - decide if you have read / write / execute permissions

The main differences are:

  1. How modular those permissions are - How deep can you go into specific permissions
  2. Labeling standards - Different systems can call the same kind of permissions in a different name such as Viewer on one system and Read-Only on the other

Note

Be aware that there are systems that are deeply customizable meaning you can create new permission group / role and give it the exact permissions you need while other systems just give you a narrower set of options to choose from - This highly depends on the systems developers

RBAC

Role based access control or RBAC for short is a form of permission control that uses roles as it's way of managing permissions

Examples
  • Read only permissions can be labeled as Viewer
  • Read Write permissions can be labeled as Editor
  • Access to manage the system settings but without access to the systems actual content can be labeled as Config Admin

ACL

Access Control Lists help us assign specific permissions according to resource

Examples
  • User1 will have access to one specific page on my web application and he will only be able to read it's contents
  • User2 will have full access to my web application and will be able to also manage everyone else's permissions
  • User3 won't have any access to my web application and will need to rely on one of the other user's help (if it's even allowed)
  • User4 will have read and write permissions only on a specific page that is not used to manage user permissions

Hybrids

There are also systems that use RBAC but also allow you to create new roles or assign specific explicit permissions

Authorization

What's authorization and how is it different from authentication?

Encryption

What's encryption and why do we need it?

On this page

PurposeDifferent Implementations Of Permission ManagementSame FoundationRBACExamplesACLExamplesHybrids