This article is the first in a deep-dive exploration of authorization/access control systems, which can be used to constrain the actions that the users of web applications can perform. In this post we introduce the problem and we take a look at simple, role-based systems that assign roles to users. We then study some situations in which role-based authorization lacks expressive power, such as users who should only have access to a subset of the data, and we review other solutions that also ta...
