RBAC, ABAC, Roles & Permissions

October 9, 2024 note-to-self

Roles vs Permissions

Set permissions to roles and assign roles to users. Don't assign permissions directly to users.

  • Create a permission, like "can view page".
  • Assign that permission to a role, like "Page Viewer".
  • Assign that role to a user. User could have greater than one role. Maybe "Page Viewer", "Category Name Editor" and "Email Sender."
  • Any permissions set to those roles are inherited by the user.

Like unix group permissions. If the "wheel" group can access a file, I can access a file.

When you check, DON'T check for the Role, check for the permission.

No:

if (isPageViewer()) {

}

Yes:

if (canViewPage()) {

}