ACL - restrict specific features?

Question

I have been reading about ACL and it is quite interesting but I am not sure if ACL is a right tool for my new backend system.

I want to restrict certain features from User Groups and Roles, for example:

"Processing" group can see a category dropdown but it will be hidden from a "Sale" team.
"Processing" group a see a few options in a category dropdown. Admin group can see everything.
If I add a new group called "Training" - I would like a "Training" team to have access to a category dropdown.

Is ACL right tool for this? If so - how can it be done.

You might find [this post](http://stackoverflow.com/a/9685039/727208) somewhat useful. — tereško, Sep 17 '13 at 20:08

score 0 · Answer 1 · answered Sep 13 '13 at 12:02

Access control list - list of permissions attached to an object. It specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. - wiki

So it fits exactly to your problem.

Create actions, users and then just set actions for the users. Or create groups and set the actions for the group and then put the users to specific group.

score 0 · Answer 2 · answered Sep 19 '13 at 18:42

ACL - access control lists - is a good starting point but you probably want to look at more advanced authorization models for instance role-based access control and later attribute-based acccess control. NIST has defined these two models extremely well:

NIST RBAC: http://csrc.nist.gov/groups/SNS/rbac/
NIST ABAC: http://csrc.nist.gov/projects/abac/

RBAC and ABAC will scale better than just ACLs.

ACL - restrict specific features?

2 Answers2