Authorization Models
Authorization models: RBAC, ABAC, and ACL with practical examples.
1. Role-Based Access Control (RBAC)
Users are assigned roles, and roles have permissions.
Example Structure
1User: john@example.com
2Roles: [editor, moderator]
3
4Role: editor
5Permissions: [create_post, edit_post, delete_own_post]
6
7Role: moderator
8Permissions: [delete_any_post, ban_user]
Implementation Example
1# Check if user has permission
2def has_permission(user, permission):
3 for role in user.roles:
4 if permission in role.permissions:
5 return True
6 return False
7
8# Usage
9if has_permission(user, 'delete_post'):
10 delete_post(post_id)
Pros:
- Simple to understand and implement
- Easy to manage for most applications
- Clear separation of concerns
Cons:
- Role explosion in complex systems
- Inflexible for fine-grained control
- Difficult to handle context-specific permissions
Use Case: Most web applications, content management systems
2. Attribute-Based Access Control (ABAC)
Access decisions based on attributes of user, resource, and environment.
Policy Structure
1User Attributes + Resource Attributes + Environment → Policy Decision
Example Policy
1Allow if:
2 user.department == resource.department AND
3 user.clearance_level >= resource.classification AND
4 current_time.hour >= 9 AND current_time.hour <= 17
Detailed Example
User Attributes:
1{
2 "id": "user123",
3 "department": "engineering",
4 "clearance_level": 3,
5 "location": "US"
6}
Resource Attributes:
1{
2 "id": "doc456",
3 "department": "engineering",
4 "classification": 2,
5 "owner": "user123"
6}
Environment Attributes:
1{
2 "time": "14:30",
3 "ip_address": "192.168.1.100",
4 "device_type": "laptop"
5}
Policy:
1ALLOW document:read IF
2 user.department == document.department AND
3 user.clearance_level >= document.classification AND
4 time.hour >= 9 AND time.hour <= 17 AND
5 user.location == "US"
Implementation Example
1def evaluate_policy(user, resource, environment):
2 # Check department match
3 if user.department != resource.department:
4 return False
5
6 # Check clearance level
7 if user.clearance_level < resource.classification:
8 return False
9
10 # Check business hours
11 hour = environment.time.hour
12 if hour < 9 or hour > 17:
13 return False
14
15 # Check location
16 if user.location != "US":
17 return False
18
19 return True
Pros:
- Extremely flexible and fine-grained
- Context-aware decisions
- Scales to complex requirements
Cons:
- Complex to design and implement
- Harder to debug and audit
- Performance overhead for policy evaluation
Use Case: Healthcare, government, financial systems with complex compliance requirements
3. Access Control Lists (ACL)
Resource-centric model where each resource has a list of who can access it.
Structure
1Resource → List of (User/Group, Permissions)
Example
1Document ID: doc123
2ACL:
3 - user:john@example.com → [read, write]
4 - user:jane@example.com → [read]
5 - group:editors → [read, write, delete]
6 - group:viewers → [read]
File System Example
1/home/john/document.txt
2Owner: john (rwx)
3Group: staff (r-x)
4Others: (r--)
Implementation Example
1class ACL:
2 def __init__(self, resource_id):
3 self.resource_id = resource_id
4 self.entries = []
5
6 def add_entry(self, principal, permissions):
7 self.entries.append({
8 'principal': principal,
9 'permissions': permissions
10 })
11
12 def check_permission(self, user, permission):
13 for entry in self.entries:
14 if entry['principal'] == user:
15 return permission in entry['permissions']
16
17 # Check group membership
18 if entry['principal'].startswith('group:'):
19 group = entry['principal'].split(':')[1]
20 if group in user.groups:
21 return permission in entry['permissions']
22
23 return False
24
25# Usage
26acl = ACL('doc123')
27acl.add_entry('user:john@example.com', ['read', 'write'])
28acl.add_entry('group:editors', ['read', 'write', 'delete'])
29
30if acl.check_permission(user, 'write'):
31 update_document()
Pros:
- Resource-centric (clear ownership)
- Explicit permissions
- Good for file systems and documents
Cons:
- Doesn't scale to many resources
- Hard to manage centrally
- Difficult to audit across resources
Use Case: File systems, document management, cloud storage (S3, Google Drive)
Comparison
| Model | Granularity | Complexity | Scalability | Use Case |
|---|---|---|---|---|
| RBAC | Coarse | Low | Good | General web apps |
| ABAC | Fine | High | Excellent | Complex compliance |
| ACL | Fine | Medium | Poor | File systems, documents |
Hybrid Approaches
Most real-world systems combine multiple models:
RBAC + ACL
11. Check user role (RBAC)
22. If role allows, check resource ACL
33. Grant access only if both pass
Example: Google Drive
- Roles: Owner, Editor, Viewer (RBAC)
- Per-document sharing (ACL)
RBAC + ABAC
11. Base permissions from roles (RBAC)
22. Additional context checks (ABAC)
Example: Healthcare system
- Roles: Doctor, Nurse, Admin
- Context: Can only access patients in their department during shift hours
Best Practices
1. Principle of Least Privilege
Grant minimum permissions necessary for the task.
1❌ BAD: Give all users admin role
2✅ GOOD: Give specific permissions as needed
2. Separation of Duties
Critical operations require multiple people.
1Example: Financial transaction
2- User A: Initiates transaction
3- User B: Approves transaction
3. Regular Audits
Periodically review and revoke unnecessary permissions.
1# Audit script example
2def audit_permissions():
3 for user in all_users:
4 for permission in user.permissions:
5 if not permission.recently_used:
6 log_warning(f"{user} has unused permission: {permission}")
4. Default Deny
Deny access by default, explicitly grant permissions.
1def check_access(user, resource, action):
2 # Default: deny
3 if not has_explicit_permission(user, resource, action):
4 return False
5 return True
Related Snippets
- Authentication & Authorization Fundamentals
Core authentication and authorization concepts overview. This page provides a … - Authentication Methods
Comprehensive guide to authentication methods: sessions, JWT, OAuth 2.0, OIDC, … - Authentication Security Best Practices
Security best practices for authentication: password security, token storage, …