Authorization

The act of deciding whether or not a user is allowed to a resource.

Now, let's delve into Authorization. We'll use the RBAC model (role-based access control). As the name implies, what defines the permissions of a user in this model are his role(s). For example, a user with the role admin may access any resource, whilst other users have a lower access clearance. There are other models that allow greater permission granularity, such as ABAC (attribute-based access control), but that won't be the focus here.

Let's imagine that our system will have three roles: admin, manager and user. The admin can access any resource, the manager may manage products and categories, and the user may see his own data, make orders and pay them. This is a summary, and not an exhaustive list.

We can also imagine the following scenario: an admin account will have been created beforehand in a migration, with provisional login credentials, which will be transferred in confidence to the system contractor. From this account, it will be possible to grant privileges to other users, like becoming a manager or even another admin. And a regular user may create his account in the usual way, which will by default have the role user.

Let's then begin.