Terminology

Principal

Data that at least uniquely defines an identity - i.e. who an actor is - is known as a principal. A principal is composed of attributes to be used to decide if access can be granted for that user.

{
  "id": "abc123",
  "email": "[email protected]",
  "favourite_colour": "brown",
  "roles": ["vip"]
}

Resource

A resource is a data model of a domain object. It can take on any structure which a policy can understand (see Policies).

// A book
{
  "title": "Lord of the Rings"
}

// A pet
{
  "species": "Cat",
  "name": "Catsby"
}

Policy

A policy is a ruleset describing if a principal is to be ALLOWED or DENIED access to a given resource (noun) for an action (verb).

A person is allowed to checkout a library book if they are a student
A student is allowed to checkout a book if the student's course is the same as the book's course

Principal​

Resource​

Policy​

Principal

Resource

Policy