Supported Models
- ACL (Access Control List)
- ACL with superuser
- ACL without users: This is especially useful for systems that don't have authentication or user logins.
- ACL without resources: In some scenarios, the target is a type of resource instead of an individual resource. Permissions like "write-article" and "read-log" can be used. This doesn't control access to a specific article or log.
- RBAC (Role-Based Access Control)
- RBAC with resource roles: Both users and resources can have roles (or groups) at the same time.
- RBAC with domains/tenants: Users can have different sets of roles for different domains/tenants.
- ABAC (Attribute-Based Access Control): Syntax sugar like "resource.Owner" can be used to get the attribute for a resource.
- PBAC (Policy-Based Access Control): A flexible access control model that makes authorization decisions based on policies defined as rules, supporting dynamic and contextual authorization.
- BLP (Bell-LaPadula): A formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects.
- Biba (Biba Integrity Model): A computer security model that restricts information flow in a system to prevent unauthorized disclosure of classified information.
- LBAC (Lattice-Based Access Control): A formal access control model that combines confidentiality and integrity controls in a unified framework, implementing a lattice structure for granular access control decisions.
- UCON (Usage Control): A next-generation access control model that emphasizes continuous authorization, attribute mutability, and a unified framework of authorizations, obligations, and conditions.
- RESTful: Supports paths like "/res/*", "/res/:id", and HTTP methods like "GET", "POST", "PUT", "DELETE".
- IP Match: Supports IP address matching for network-based access control.
- Deny-override: Both allow and deny authorizations are supported, where deny overrides allow.
- Priority: The policy rules can be prioritized, similar to firewall rules.