Version: v0.5

Access Control Lists (ACL)

An Access Control List (ACL) is a matrix of users and permissions:

blog_post.createblog_post.deleteblog_post.modifyblog_post.read
Aliceyesyesyesyes
Bobnononoyes
Peteryesnoyesyes

In the example above, Alice has the permission to create a blog post (blog_post.create) while Bob does not. All three (Alice, Bob, Peter) can read blog posts.

Similarly, you could create a matrix of resources (e.g. blog articles) and each user's permissions (c for create, m for modify, etc) with regards to that resource:

blog_post.1blog_post.2blog_post.3blog_post.4
alicec,r,m,dc,r,m,dc,r,m,dc,r,m,d
bobrrrr
peterc,r,m,drc,r,m,dr

ACLs are common in applications with few subjects like filesystems (chmod / chown).

Benefits:

  • Fine-grained control that can be fine-tuned per identity and permission.
  • Works really well in systems where each identity has a different set of permissions.

Shortcomings:

  • As the number of identities and resources grows over time, the matrix becomes large and hard to maintain.
  • If many identities have the same permissions, choose a system like RBAC.

Implementation status: Access Control Lists are currently not implemented but will be first-class citizens in the future. To bump this in priority, please upvote this GitHub ticket.

Last updated on by hackerman