Group-Role Based Access Control
Group-Role Based Access Control is access control for action, it is extension of Role Based Access Control, that roles are applied not directly to users, but to groups. Then user have assigned groups.
This approach gives far more versatile access control, as each role can have one of values:
- Allowed - access is allowed but only if not denied by other group
- No access - access is not allowed, but not explicitly denied
- Denied - access is denied despite other rules
Merging permissions from several groups, will result in allowing access if any of groups have allowed access - and if any of group does not deny action. Of no access is set in any group - access will not be granted.
Roles Evaluation Matrix of two groups: