Activity based Authorization Vs Role Based Authorization

Posted By : Md Imroz Alam | 16-May-2016

Hello Everyone,

***Role based Authorization****

Role based authorization is also known as "group of user authorization".
one role can be exist group of user. we would use roles as a grouping construct, so as to be able to quickly assign the same set of permissions to multiple users.

suppose there are four role in an organization.

following Table detail about ROLE and Permission for blog post

    ROLE             PERMISSION

a) Teamlead        (view , create, edit)
b) Employee       (view, create)
c) User                (view )
d) Admin            (view, create, edit, delete )

for example:-

JOHN and Aderson have role of TeamLead.
Sohan have role of Employee.
Raj  have role of User.
Rocky and Kumar have role of Admin.

 

In the role base authentication, we have to first plan every role of their permission .According to role , we have to maintain their detail in the source code.
If we want to modify permissions for role, we have to modify the source code. If we want to introduce new roles, again we have to modify the code.

when we are checking authorization using role based. first check the user role and then get their permission and check can have to permission to do particular action.
Suppose Rocky have not to permission of delete and Kumar have to all Permission(View, Create, edit, delete). It can be difficult to maintain with role base authorization.
We can switch to Action based authorization.

 

***Activity based authorization***

Action(Activity) based authorization is also known as "user based permission". In the above scenario , we have to maintain all user's action(permission). In this technique, we have to first get user detail about of permission(action) then check can have to do particular action.Each permission have unique code throughout the application. we have to store permission respect to user in database and update their permission according to requirement.

For example in our code ,we extracted the url path as "login" activity from url(localhost:3000/api/v1/login).

if I forgot to add a permission code(activity like login) to the database or if I added it, but incorrectly (spelling mistake as like logins instead of login)?” as for example in node.js api like -- http://localhost:3000/api/v1/login .  in that case the system would deny users to perform that action or give response like "404 Page not Found".

***Then Question comes to mind, which authorization technique, we should use but where****

Role-based authorization system which is good enough to create simple, small and personal websites.
 

Activity-based authorization gives this flexibility by the need to create roles until run time and doesn’t require we to modify our source code just because we need to change role/permission structure. 

.........................I hope, this content will be helpful........................
 

 

THANKS

 

About Author

Author Image
Md Imroz Alam

Md. Imroz Alam is a bright Web App Developer, he has good knowledge of Java, J2SE, Jsp, Servlet, jdbc. His hobbies are watching movie, playing carom.

Request for Proposal

Name is required

Comment is required

Sending message..