Tagged Access Control

Tagged access control is an approach to decoupling authorization logic from data models used to represent users and resources. This makes it trivially easy to support both changes and additions to user and resource data models over time.

Given a user, some actions, and a resource:

 o       <access>     ├── dir1
/|\                   |   └── file1
/ \      <modify>     └── file2

User      Actions     Resources

The user is granted access to perform certain actions for certain tags:

          access
 o  -----------------> tagX, tagY
/|\       modify
/ \ -----------------> tagY

User      Actions      Tags

• User can access tagX and tagY
• User can modify tagY

The resource is marked with a tag:

.
├── dir1      ---------> tagX
|   └── file1 ---------> tagX
└── file2     ---------> tagY

Resource                 Tag

• dir1 and file1 are both marked with tagX
• file2 is marked with tagY

The user may perform an action on a resource if they have access to the resource's tag:

• User can access dir1 and file1
• User can access and modify file2