Skip to main content

How it works

In order to understand the philosophy behind Pallad's Access Control we need to explain terms used.

Access Query - is an object that contains properties necessary to describe the context for access control engine

  • principal - represents who is performing an action. That could be logged-in user, anonymous user (not logged-in), external integration or any other principal that your system defines.
  • action - defined an action that is being performed (has to be a string) like update, create, delete, activate.
  • subject - represents a target on which the action is performed. That could be an article, organization, product or other type of entities your system define

Policy - Is a function that receives access query and returns its vote against it. Policy might:

  • abstain from voting by returning undefined
  • allow access by returning true
  • deny access by returning false

Access Control - Contains policies and ask them to vote on access query.

Final decision is made based on following criteria:

  • once all policies abstain from voting then final decision is deny
  • once any policy denies access then final decision is deny
  • once at least one policy votes to allow access and there are no deny votes then final decision is allow

The entire philosophy could also be described in one picture:

Access QueryPrincipaluser: johnSubjectarticle: 1ActioneditAccess ControlPolicy 1Policy 2Policy 3Returns vote resultsAsk policies to vote on queryPolicy makes a vote:Abstain from decisionAllows accessDenies accessDenyAllowMakes decision based on votesall policies abstainedat least one deniedDenyat least one allowednone denied