Authorization is essential for systems that have users. Authorization determines whether a user may perform an action upon a resource within the system. Below I shall summarize a list of existing authorization systems.
Role Based Access Control (RBAC)
A user is associated with a set of roles. Each resource endpoint is associated with a set of roles. Upon receiving a request, check whether the user has one of the required roles for the endpoint; if so authorize otherwise deny.
Pros
- Easiest to administer
Cons
- Single domain support
- Roles are inflexible
Permission Based Access Control (PBAC)
A user is given a set of permissions. Each endpoint is associated with a permission. Upon receiving a request, check whether the user has the desired permission; if so authorize otherwise deny.
Pros
- Endpoints are more concise
Cons
- Single domain support
- Too many permissions
Role Based Access Control with Permissions
Each role is associated with a set of permissions. A user is associated with a set of roles. Each endpoint is associated with a permission. Upon receiving a request, check whether the user has one of the roles which has the desired permission.
Pros
- Permissions are more flexible
- Reasonable to administer
Cons
- Only support single domain
- More lookup is required
Role Based Access Control with Domains (Groups)
Each role and user is associated with a domain. Upon receiving a request, check whether the user has one of the required roles for the given domain.
Pros
- Support for domains/groups
- Possible to administer
Cons
- Roles are inflexible for end point assignment
- Poor multi-tenancy support
Role Based Access Control with Permission and Domains
Pros
- Support for domains/groups
- Possible to administer
Cons
- Poor multi-tenancy and cross-tenancy support
Attribute (Rule) Based Access Control (ABAC)
A set of comparison rules are defined to act upon the request object, subject, action as well as their attributes. Upon truthy evaluation, authorize; otherwise deny.
Pros
- Fully flexible. No real limitations
Cons
- Rules can get out of hand fast
- No authorization functionality provided by default
- Difficult to administer
- Comparison expressions have limits
- Speed diminishes linearly with rules
- Difficult to implement correctly
Conclusion
Always select the most suitable authorization system for your application. As one may notice for complex systems that require multi-tenancy and or cross-tenancy, ABAC quickly becomes the only viable option. In the next part, I will introduce an authorization system designed for multi-tenancy and cross-tenancy systems.
