An Access Control List (ACL) is a matrix of users and permissions:
In the example above,
alice has the permission to create a blog post
(blog_post.create) while bob des not. All three
(alice, bob, peter) can read blog posts.
Similarly, you can create a matrix of resources (e.g. blog articles) and each user's permissions
modify, ...) with regards to that resource:
ACLs are common in filesystems (
chown) and in applications with few subjects.
- Fine-grained control that can be fine-tuned per identity and permission.
- Works really well in systems where each identity has a different set of permissions.
- As more identities and resources are added, the matrix grows larger and larger and becomes harder to maintain.
- If you have many identities that are allowed to do the same thing, choose a system like RBAC.
Implementation status: Access Control Lists are currently not implemented but will be first-class citizens in the future. To bump this in priority, click here.