RBAC, ABAC, Roles & Permissions
October 9, 2024
note-to-self
Roles vs Permissions
Set permissions to roles and assign roles to users. Don't assign permissions directly to users.
- Create a permission, like "can view page".
- Assign that permission to a role, like "Page Viewer".
- Assign that role to a user. User could have greater than one role. Maybe "Page Viewer", "Category Name Editor" and "Email Sender."
- Any permissions set to those roles are inherited by the user.
Like unix group permissions. If the "wheel" group can access a file, I can access a file.
When you check, DON'T check for the Role, check for the permission.
No:
if (isPageViewer()) {
}
Yes:
if (canViewPage()) {
}