An Access Control List (ACL) is a matrix of users and permissions:
In the example above, Alice has the permission to create a blog post
(blog_post.create) while Bob does not. All three (Alice, Bob, Peter) can read
Similarly, you could create a matrix of resources (e.g. blog articles) and each
user's permissions (
modify, etc) with regards to
ACLs are common in applications with few subjects like filesystems (
- Fine-grained control that can be fine-tuned per identity and permission.
- Works really well in systems where each identity has a different set of permissions.
- As the number of identities and resources grows over time, the matrix becomes large and hard to maintain.
- If many identities have the same permissions, choose a system like RBAC.
Implementation status: Access Control Lists are currently not implemented but will be first-class citizens in the future. To bump this in priority, please upvote this GitHub ticket.