Tagged access control is an approach to decoupling authorization logic from data models used to represent users and resources. This makes it trivially easy to support both changes and additions to user and resource data models over time.
Given a user, some actions, and a resource:
o <access> ├── dir1
/|\ | └── file1
/ \ <modify> └── file2
User Actions Resources
The user is granted access to perform certain actions for certain tags:
access
o -----------------> tagX, tagY
/|\ modify
/ \ -----------------> tagY
User Actions Tags
User
can access tagX
and
tagY
User
can modify tagY
The resource is marked with a tag:
.
├── dir1 ---------> tagX
| └── file1 ---------> tagX
└── file2 ---------> tagY
Resource Tag
dir1
and file1
are both marked with
tagX
file2
is marked with tagY
The user may perform an action on a resource if they have access to the resource's tag:
User
can access dir1
and
file1
User
can access and modify file2