Authorisation is a crucial aspect of application security. It determines what permissions an authenticated user has, such as what data they can access and what actions they can perform. Here are some common authorisation techniques:
Role-Based Access Control (RBAC)
RBAC is a popular method where permissions are assigned to specific roles, and then users are assigned these roles. For example, an ‘admin’ role might have full access, while a ‘guest’ role might have limited access.
Discretionary Access Control (DAC)
In DAC, the owner of the resource decides who can access it. This is common in file systems where a user can set read, write, or execute permissions on their files for other users.
Mandatory Access Control (MAC)
MAC is often used in highly secure environments. It uses labels (or ‘security clearances’) for users and data. A user can access the data if their label matches or outranks the data’s label.
Attribute-Based Access Control (ABAC)
ABAC, also known as policy-based access control, uses policies to evaluate a multitude of attributes, including user attributes, action attributes, and environment conditions, to decide on access.
Token-Based Authorisation
Token-based authorisation, such as OAuth, involves the use of tokens as credentials. These tokens are issued by an authorisation server and can be checked for validity by the application.
Claims-Based Authorisation
In claims-based authorisation, the user’s identity is composed of a set of claims from a trusted issuer. Each claim represents a specific piece of data about the user, such as their name or email address.
Remember, no single technique is universally best. The right choice depends on the specific requirements and constraints of your application. Always consider the principle of least privilege, granting users only the access they need to perform their tasks. This minimises the potential damage from accidents or breaches.
