Tagged Access Control

December 13, 2016

Tagged access control is an approach to decoupling authorization logic from data models used to represent users and resources. This makes it trivially easy to support both changes and additions to user and resource data models over time.

Given a user, some actions, and a resource:

 O                    .
-+-      <access>     ├── dir1
 |                    |   └── file1
/ \      <modify>     └── file2

User      Actions     Resources

The user is granted access to perform certain actions for certain tags:

          access
 O  -----------------> tagX, tagY
-+-
 |        modify
/ \ -----------------> tagY

User      Actions      Tags

The resource is marked with a tag:

.
├── dir1      ---------> tagX
|   └── file1 ---------> tagX
└── file2     ---------> tagY

Resource                 Tag

The user may perform an action on a resource if they have access to the resource’s tag: