3

I’m trying to clarify the difference between Role-based Access Control, Policy-based Access Control, and Access Control List when designing an authorization system.

I have two scenarios:

Scenario A

I have a permission table:

endpoint user
/create A
  • When user A calls /create, it works (HTTP 200).
  • When user B calls /create, it fails (HTTP 403).

The permission is directly tied to the user. Does this count as Policy-based Access Control or is it actually ACL?

If it is Policy-based, then what would be the definition of an ACL scenario? If it is ACL, how would Policy-based differ in practice?

Scenario B

I have two tables:

user-role

user role
A creator
B reader

role-endpoint

role endpoint
creator /create
reader /info
  • When A calls /create, look up user-role (A → creator), then role-endpoint (creator → /create), so A is allowed (200).
  • When B calls /create, B only has role reader, so gets denied (403).

Is this considered the classic RBAC?

Improve this question

1 Answer 1

Reset to default
10

Scenario A is just ACL. The permission table is the access control list.

Scenario B is RBAC, just as you suspected. As an exercise for you, think about extending your example for users belonging to more than one role, or roles granting access to more than one access point - for example, shouldn't each creator also have reader's permissions?

In a policy based scenario, access control might be granted or denied by dynamic properties. For example, lets say user A can gain a score over time, or lose some og the score points (like the reputation score on the SE sites). Imagine a policy which says "/create works only for users with a score of more than 1000 points". That would be a typical PBAC scenario.

Note an access control system can provide PBAC, ACL and RBAC simultaneously, this is not necessarily an "either - or" decision. In a system which grants certain permissions on policies (or roles, or both), there can always be a policy which says "after all other policies have been evaluated, grant additional access rights according to a specific permission table", for example.

Improve this answer
2
  • 1
    This makes me curious – with a typical Windows / Active Directory ACL system, if users are added to "role" groups and those groups are then granted some access via ACLs, does that allow calling the system "RBAC"? Commented Sep 26 at 17:19
  • @user1686: Since I am not an expert for WinAD, I asked DeepSeek and Google Gemini "is windows active directory an rbac system". Both told me that AD provides the fundamental building blocks for implementing an RBAC, together with a long explanation which looked plausible to me. When you want to get a human experts statement, try serverfault.com Commented Sep 26 at 18:26

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.