Authorization is complex because every app has to invent its own authorization model. This post goes through these patterns, and how an authorization platform (such as the https://topaz.sh open source project or the https://www.aserto.com authorization service) can help you implement them. The simplest authorization pattern models a set of roles as properties of the user.

An example policy could be “Allow the operation if the user has the ‘admin’ or ‘editor’ roles, or the ‘create’ permission.”

The group object type has a “member” relation type, and the target for that relation can be any subject (user or group).

Related Articles