DEV Community

Sebastian Schürmanns
Sebastian Schürmanns

Posted on

Explain RBAC vs ACL Like I'm Five

HeyHo DEVs,

I want to implement a permission system for my small flat file cms Typemill and I am not super sure, if I should follow RBAC or ACL. What the heck is the difference? I want to create roles like this:

  • "reader" (public access),
  • "member" with auth and access to "member" content
  • "customer" with auth and access to "paid" content
  • "author" with auth and access to his own articles
  • "editor" with auth and access to all articles, but no rights like publishing
  • "publisher" with publishing rights.
  • "admin" with access to admin settings.

Everything with enough flexibility.

So what should I use?

Top comments (2)

brandinchiu profile image
Brandin Chiu

The primary difference between the two is where the permissions are assigned.

In ACL, the permissions are attached to the objects you are managing.
In RBAC, the permissions are attached to the users and the operations they perform.

In ACL, you would say that "this widget requires user level alpha to interact with".

In RBAC, you would say that "only users with user level alpha can create new widgets".

From a purely functional perspective, they're essentially the same.

In most cases where you are working with a dynamic set of users (users register and are onboarded frequently, RBAC makes more sense, not because it's better, but because it's what most users are going to be used to experiencing.

Your example above does an excellent job of describing "roles", which is precisely what RBAC is designed for :)

trendschau profile image
Sebastian Schürmanns

Great explanation, thank you!!!