Let’s start with the basic intuition, access control system’s primary function is to ensure that only authorized users/teams have access to specific features and data.
There are multiple different kinds of access controls:
Let’s lay down some ground rules:
- each user can have multiple roles
- each user can have access to multiple resources
- user can have specific roles for one resource and other roles for other resources
Which brings us to an important question. Who assigns the roles for specific resources to the user?
- is it the developer ?
- is it an Admin?
- is
Consequences of an improper RBAC system
- data theft
- sensitive data leaked to unauthorized individuals
- legal repercussions