Account Authorization and Fine-Grained Authorization
In an identity management system, authentication answers "who are you", while authorization answers "what can you do". BambooCloud IDaaS provides two authorization capabilities: account authorization and fine-grained authorization.
What is Account Authorization
Account authorization describes the binding relationship between an IDaaS user and an application account.
Core Concept
An IDaaS user can have multiple application accounts in different application systems, forming a 1:N relationship:
IDaaS user (Zhang San)
├── App A account: zhangsan@a.com
├── App B account: zs001
└── App C account: 13800138000Authorization Action and Effect
| Dimension | Description |
|---|---|
| Authorization action | Administrator assigns a user permission to access an application |
| Authorization effect | The user accesses the target application with the specified account |
Account authorization solves the problem of "which applications a user can access" and is the basis of application-level permission management.
What is Fine-Grained Authorization
Fine-grained authorization (also known as data-scope authorization) is a further refinement based on account authorization. It solves the problem: within the same application, different users can see and operate different data scopes.
Typical Scenarios
| Scenario | Description |
|---|---|
| Regional isolation | North China sales can only view North China customer data; East China sales can only view East China customer data |
| Rank isolation | Ordinary employees can only view their own data; department managers can view all department data; executives can view company-wide data |
| Project isolation | Project members can only access data of their own projects; project managers can view across projects |
Differences from Account Authorization
| Comparison | Account Authorization | Fine-Grained Authorization |
|---|---|---|
| Control granularity | Application level | In-app data level |
| Problem solved | Whether the app can be accessed | Which data can be operated in the app |
| Configuration method | Bind user and application account | Configure data filtering rules |
Fine-grained authorization usually requires the application side to cooperate in implementing data filtering; IDaaS is responsible for passing the user's permission scope information to the application through tokens or assertions.