Role based access notes
How to handle permissions like a dev
Role-based-access-system (RBAS)
Resource mapped to action ex: view:comments
System spirals with complexity
Works for small cases
Every auth system has multiples roles per user
User table, role table. One user can have many roles. One role can have many users. Many to many.
A permission table where one role can have multiple permissions and one permission can have many roles.
Organization.
Can also have roles for individual resources.
Attribute based access control
-
Subject: I want do do something
-
Action: Read, Write
-
Resource: I want read this comment. What are you acting upon.
-
Other infö (environment, organization, etc.
RBAC:
-
A viewer can view posts
-
An editor can view, create, edit posts
-
An admin can view, Create, edit, delete posts
Eg. An editor can edit posts
ABAC:
Eg. An editor can edit posts in draft mode between Monday and Friday
Eg. An admin can delete posts in archived mode.
ReBAC:
Eg. A viewer with active subscription can view posts on mobile