• Nikhila Jain

FAQ - Access Control Process - Permission Model

Updated: Mar 8

Access Control Processes are an integral part of today's digital world. With digitization and every small or big business making its online debut, it's necessary that the application access is made seamless for the users.

That's when an application is designed to follow the user, role, and permission model which defines privileges associated with a user.

What is an access control process?

A process that defines set rules for accessing the particular resource, governed by a fixed set of permissions, by a set of users is defined as a user, role, permission model.

What are the entities participating in an access control model?

There are three entities around which the access control model revolves:

  • User - An entity that has access to perform certain actions on desired data/resource.

  • Role - An entity that is a superset of the User and holds the details of set actions that can be performed.

  • Permission - An entity that defines actions.

How to implement an access control process for a multi-user application?

There are two ways through which a permission model can be architect, based on the requirements of the system, one of them is chosen.

  • Role-based access control (RBAC)

  • Attribute-based access control (ABAC)

What is role-based access control and how to model it?

Role-based access control, abbreviated as RBAC:

  • Restricts network access based on the roles and not individual users

  • Provides access rights only to the information an entity needs

  • A simple, manageable approach

  • Less prone to error than assigning permissions to an entity

In RBAC modeling:

  • Users are assigned to Roles

  • Permissions are authorized to Roles

Model: There are two ways in which RBAC can be implemented:

  • Core RBAC

  • Hierarchical RBAC

  • Core RBAC: This is the foundation of all RBAC implementations where:

  • N number of roles are created, each role has a defined set of permissions

  • Roles are mapped to users to define the access based on the permissions assigned to that role

  • The main entities in this model are:

  • User – an individual (identified by a unique UID) with access to a system

  • Role – a named job function (indicates the level of authority)

  • Permission – equivalent to access rights

  • Session – a mapping between a user and a set of roles to which the user is assigned in the context of a working time

  • Object – a system resource that requires permission to access

  • Operation – any action in the protected network

  • Users have assigned roles and in turn, based on the roles, they access resources.

  • Hierarchical RBAC: It determines the model mapping based on the organization hierarchy. Basically, the higher you are in the chain, the more access you will likely have.

  • The hierarchical RBAC ensures that the parent has all rights that are available with a child. For example: if a user is termed as an admin and can perform an action of creating entities then its parent says system admin will have rights to create entities and in addition to that will have more access say to delete entities.


  • Spring Security

  • Annotate each method with roles that can access the entity/method.

  • Access Control Lists (ACL)

  • To externalize the authorization, one can use “ACL” which will evaluate if the current role is listed in the list available for that entity.

  • OAuth - Open standard for access delegation used by third parties like

  • Amazon

  • Google

  • Facebook

  • Database Model - Creating entities and manage the permission model in the application. Tables that could be created-

  • Roles

  • Permissions

  • User Roles

  • Role Permissions

  • Users

What is an attribute-based access control and how to model it?

Attribute-based access control, abbreviated as ABAC:

  • Is a next-generation authorization model

  • Provides dynamic, context-aware, and risk-intelligent access control

  • Achieves:

  • Efficient regulatory compliance

  • Effective cloud services

  • Reduced time-to-market for new applications

  • A top-down approach to governance through transparency in policy enforcement

ABAC uses:

  • Attributes as building blocks in a structured language

  • Defines access control rules and describes access requests

  • Each attribute consists of a key-value pair such as “Role= SysAdmin”.

  • It defines:

  • Who

  • What

  • Where

  • Why

  • With what


ABAC can be implemented using XACML.

  • XACML is a policy language that is as expressive as a natural language.

  • For example: “An Admin wants to create an entity for a given context”. A sentence like this includes four grammatical building blocks:

  • Subject – Who demands access

  • Action – the user wants to perform

  • Resource – the object impacted due to action

  • Environment - in which the access request is made

  • Attribute evaluation then enables effective policy-based authorization.

  • Let’s consider this example:

  • A policy states that “All admins belonging to the department Human Resource (HR) should have read access to Recruitment reports within the London region”.

  • An access request evaluation based on the following attributes and attribute values should therefore return PERMIT:

  • Subject’s “department” = “HR”

  • Subject’s “region” = “London”

  • Action= “read”

  • Resource “type” = “Recruitment reports”

  • Resource “region” = “London”

  • The following diagram shows a basic XACML architecture that includes:

  • Policy Enforcement Point (PEP), which intercepts any requests in a normal program flow.

  • Policy Decision Point (PDP) grants access based on the policies associated with the PDP.

  • The PDP evaluates the XACML request created by the PEP and runs through the policies to make one of the four access decisions, namely:

  • PERMIT - approve

  • DENY - access denied

  • INDETERMINATE - error at the PDP

  • NOTAPPLICABLE - some attributes missing in the request or no policy match.

XACML Processing:

  • Amazon’s The Axiomatics Policy Server - Paid

  • JBOSSXACML - Open Source Library

  • Spring Security’s XACML using SpEL (Spring Expression Language)

Which model to choose while architecting user permission?

While ABAC provides a lot of complexity and governance at the elementary level, RBAC often is sufficient to model the access privileges for almost 80% of applications. Even if one uses ABAC, at its core ABAC needs the RBAC set up in place. Both of these are filters to model the access control, ABAC being the more complex of the two and requires more power, processing, and time. The access control processes must be managed and reviewed from time to time to meet organizational needs.