Taken from Redwoodjs Role Based Access Control
Authentication is the act of validating that users are who they claim to be. Authorization is the process of giving the user permission to access a specific resource or function.
In even more simpler terms authentication is the process of verifying oneself, while authorization is the process of verifying what you have access to.
When thinking about security, it helps to think in terms of familiar examples.
Let's consider one from the physical world -- access to the various rooms of a π house -- and compare it to a digital example of a Blog.
Consider a π while you are away on vacation.
You are the owner and have given out π keys to your neighbor and a plumber that unlock the π πͺ door.
You've assigned them passcodes to turn off the π¨ alarm that identifies them as either a neighbor or plumber.
Your neighbor can enter the kitchen to get food to feed your πΈ and the your office to water your π΅ and also use the π½.
The plumber can access the basement to get at the pipes, use the π½, access the laundry or π΄ kitchen to fix the sink, but not your office.
Neither of them should be allowed into your π bedroom.
The owner knows who they claim to be and has given them keys.
The passcodes inform what access they have because it says if they are a neighbor or plumber.
If your π could enforce RBAC, it needs to know the rules.
| Role | Kitchen | Basement | Office | Bathroom | Laundry | Bedroom |
|---|---|---|---|---|---|---|
| Neighbor | β | β | β | |||
| Plumber | β | β | β | β | ||
| Owner | β | β | β | β | β |
In our Blog example anyone can view Posts (authenticated or not). They are public.
- Authors can write new Posts.
- Editors can update them.
- Publishers can write, review, edit and delete Posts.
- And admins can do it all (and more).
| Role | View | New | Edit | Delete | Manage Users |
|---|---|---|---|---|---|
| Author | β | β | |||
| Editor | β | β | |||
| Publisher | β | β | β | β | |
| Admin | β | β | β | β | β |