Let’s imagine you have a blog with two users (Ana and Edouard), and want to manage specific actions like:
- authorize Edouard to add a new contributor to the blog
- authorize Ana to create, edit and delete her own blog post
- authorize Edouard to delete Ana’s blog post
What is a Role
A role is a set of permissions hard coded in your application, and you can hard code yourselves. in your application. When checking if Edouard is able to delete Ana’s blog, your application checks in your code the current role the user has..
Access Control Lists are useful when you need to take an authorization decision based on a Role + a domain object. Explicitely, they allow to give specific permissions to a specific object for a specific user.
Ana is allowed to edit blog entries written by her only. To check this authorization, you need Ana’s Roles and the Post model she’s trying to edit.
So, Edouard is allowed to all blog entries because he has the ROLE_ADMIN. The decision here is only based on a Role.