difference between operations and permissions on RBAC

8
votes

I'm developing a generic user management system using role based access control(RBAC) were i couldn't distinguish between the operations table and the permissions table(that is after reading so many articles).

"A subject can have multiple roles. A role can have multiple subjects. A role can have many permissions. A permission can be assigned to many roles. An operation can be assigned many permissions. A permission can be assigned to many operations."

en.wikipedia.org/wiki/Role-based_access_control

can anyone please give a simple example to distinguish between them?

3
rbac
I think this is a vague question as it depends on your underlying technology. Please clarify in what context you mean 'operations' and 'permissions' so you'll get a more accurate answers - Boaz Rymland
this is written in en.wikipedia.org/wiki/Role-based_access_control " A subject can have multiple roles. A role can have multiple subjects. A role can have many permissions. A permission can be assigned to many roles. An operation can be assigned many permissions. A permission can be assigned to many operations." - Gazaz
As implied in the first answer below, your context or if you wish, the technology that you referred to, was based on the Wikipedia article :-) . That's fine. Since you marked that answer as accepted, i'll leave it here. - Boaz Rymland

3 Answers

2
votes

The RBAC standard doesn't refer to operations, but only deals with users, roles, and permissions. I suppose that the operations you're referring to are part of the specific implementation you're using. They probably are the way resources are implemented in your solution.

A permission is what is needed to execute/access an resource. Permissions are assigned to roles, and resources require a set of permissions.

Let's take, for example, the case of a simple till management system. There are many users (the store's employees), and many roles, including cashier operator. That role gives the users one permission, scan items. Such permission is required by the operation item.scan(), and also by the operation item.cancel().

0
votes

Permission - An approval of a mode of access to a resource.
Resource - System object or operation that requires restricted access.

0
votes

In RBAC a permission is a mapping between objects and operations.

For example:

customer123 <--- this is an object

read, write, update, delete <--- these are operations

and these are the possible permissions:

customer123.read, customer123.write, customer123.update, customer123.delete

In RBAC, the permissions are then granted to roles. So one role might be:

Users

and have been granted customer123.read

and another role might be:

Admins

which have been granted permissions customer123.write, customer123.update

and so on