I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:
Scope based access control using oauth2Permissions
section of my manifest where I can add read and write permissions like so:
{ "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Read access to MyApi", "id": "56d944c0-f3aa-4f80-9472-9c1414383abf", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application read access to MyApi on your behalf.", "userConsentDisplayName": "Read access to MyApi", "value": "read_my_api" }, { "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Write access to MyApi", "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application write access to MyApi on your behalf.", "userConsentDisplayName": "Write access to MyApi", "value": "write_my_api" }
Role Based Access Control (RBAC) - Using appRoles
section of my manifest.
groupMembershipClaims
section of my manifest.An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks.
Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.
The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization.
Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.
I think the most significant difference between scopes and roles/groups is who determines what the client is allowed to do.
Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do.
Role- or group based access is typically used within an application to determine what a user can do.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With