Current CTO exploring entrepreneurship on the side; coach; mentor; instructor.
Dedicated to promoting digital literacy and ideological diversity in tech.
The primary difference between the two is where the permissions are assigned.
In ACL, the permissions are attached to the objects you are managing.
In RBAC, the permissions are attached to the users and the operations they perform.
In ACL, you would say that "this widget requires user level alpha to interact with".
In RBAC, you would say that "only users with user level alpha can create new widgets".
In most cases where you are working with a dynamic set of users (users register and are onboarded frequently, RBAC makes more sense, not because it's better, but because it's what most users are going to be used to experiencing.
Your example above does an excellent job of describing "roles", which is precisely what RBAC is designed for :)
The primary difference between the two is where the permissions are assigned.
In ACL, the permissions are attached to the objects you are managing.
In RBAC, the permissions are attached to the users and the operations they perform.
In ACL, you would say that "this widget requires user level alpha to interact with".
In RBAC, you would say that "only users with user level alpha can create new widgets".
From a purely functional perspective, they're essentially the same.
(en.wikipedia.org/wiki/Access-contr...)
In most cases where you are working with a dynamic set of users (users register and are onboarded frequently, RBAC makes more sense, not because it's better, but because it's what most users are going to be used to experiencing.
Your example above does an excellent job of describing "roles", which is precisely what RBAC is designed for :)
Great explanation, thank you!!!