Overview#Permission is complex and ambiguous without a provided context.
Permission generally as merriam-webster provides, Permission is:Privilege and a Permission
Permission is a component of Authorization which has the following Three Components, two of which are required:
- The type of Privilege (Required)
- The Target Resource(s) (Required), to which the Permission is granted or revoked
- Privilege Action that may be performed on the Target Resource
- Lock or Un-lock
Permission Conflicts#Permission conflicts are common issues unless proper delimitation of permissions is defined. Conflicts arise when such methods of "nested" Permissions are involved. If Group "A" is permitted to access file "One" and Group "B" is denied access to file "One", then does a member of both group "A" and group "B" have Authorization to file "One"?
What is important is that these permissions are correlated and the resulting correlation is definitive. Further this correlation must be understood by all those who would grant membership to the groups.
Separation of Duty is a concept used to implicitly avoid Permission conflicts.
- Positive Permissions express what CAN be done
- Negative Permissions express what CANNOT be done.
Positive Permission#Access to the Target Resource is granted unless the Permission is denied.
Microsoft originally had a positive file Permission system. All users were implicitly granted access to all files unless explicitly denied by revoking permissions.
Negative Permission#Access to the Target Resource is denied unless the Permission is granted.
More Information#There might be more information for this subject on one of the following:
- Access Control
- Access Control List
- Authorization Policy
- Context Based Access Control
- Description of Attribute Usage For 2.16.840.1.1137188.8.131.52.1.2
- Digital Identity
- Glossary Of LDAP And Directory Terminology
- Java Authentication and Authorization Service
- Negative Permission
- OAuth 2.0
- OAuth 2.0 Tokens
- OAuth Scope Example
- Permissions to read Universal Password
- Positive Permission
- RBAC Defining Roles
- RBAC How are roles different from groups
- RBAC Session
- RBAC constraints
- Security Group
- Token Introspection Endpoint
- Web Blog_blogentry_020117_1