Skip to content

Account Authorization and Fine-Grained Authorization

In an identity management system, authentication answers "who are you", while authorization answers "what can you do". BambooCloud IDaaS provides two authorization capabilities: account authorization and fine-grained authorization.

What is Account Authorization

Account authorization describes the binding relationship between an IDaaS user and an application account.

Core Concept

An IDaaS user can have multiple application accounts in different application systems, forming a 1:N relationship:

IDaaS user (Zhang San)
    ├── App A account: zhangsan@a.com
    ├── App B account: zs001
    └── App C account: 13800138000

Authorization Action and Effect

DimensionDescription
Authorization actionAdministrator assigns a user permission to access an application
Authorization effectThe user accesses the target application with the specified account

Account authorization solves the problem of "which applications a user can access" and is the basis of application-level permission management.

What is Fine-Grained Authorization

Fine-grained authorization (also known as data-scope authorization) is a further refinement based on account authorization. It solves the problem: within the same application, different users can see and operate different data scopes.

Typical Scenarios

ScenarioDescription
Regional isolationNorth China sales can only view North China customer data; East China sales can only view East China customer data
Rank isolationOrdinary employees can only view their own data; department managers can view all department data; executives can view company-wide data
Project isolationProject members can only access data of their own projects; project managers can view across projects

Differences from Account Authorization

ComparisonAccount AuthorizationFine-Grained Authorization
Control granularityApplication levelIn-app data level
Problem solvedWhether the app can be accessedWhich data can be operated in the app
Configuration methodBind user and application accountConfigure data filtering rules

Fine-grained authorization usually requires the application side to cooperate in implementing data filtering; IDaaS is responsible for passing the user's permission scope information to the application through tokens or assertions.

BambooCloud IDaaS Open Platform