I most frequently see role-based access controls (RBAC) that require permissions to take an action. Subjects are assigned roles that grant them permissions.
I've recently come across an authorization library that does not have separate concepts for permissions and roles. Subjects are still granted roles, but authorization checks are done directly on the role and there is no concept of a permission. I worry that this design has shortcomings since I see it so much less often. What problems might arise due to roles and permissions being combined in this manner? What things are more difficult in this system?
Aucun commentaire:
Enregistrer un commentaire