# Understand Authing's Access Contorl Model
The core of Authing's access control and authority management model is designed around two points: Resource and Policy. A policy defines a certain operation authority(s) for a certain resource (class). By authorizing the policy to a user (or role), you can know whether the user (or role) has operation authority for a certain operation of a resource .
Three entities are involved in this model: -Resource -Action -Subject, ie user or role (Identity)
Each strategy is essentially a JSON Document, each strategy contains multiple statements (Statements):
{
"statements": [
{
"resource": "books:123",
"action": ["books:edit"],
"effect": "ALLOW"
},
{
"resource": "books:123",
"action": ["books:delete"],
"effect": "DENY"
}
]
}
Each Statement
consists of the following parts:
-Resource: it can be a specific resource (such as books:123
), multiple resources (such as books:123,books:124
), or a type of resource (such as books:*
).
-Action: It can be a specific operation (such as books:edit
), multiple operations (such as books:read, books:edit
), or a type of operation (such as books:*
).
-Effect (Effect): Allow (ALLOW) or deny (DENY).
You can authorize the policy to a certain user or a certain role. The policy authorized to the role will be inherited by all users under the role, and the user who is granted the policy will automatically obtain the permissions defined in the policy. If a user is granted multiple policies, his authority is the union of these policies.
If the above example policy is granted to user A (either directly or through role inheritance), he will have the books:edit
permission of the resource books:123
instead of the books:delete
permission.
â Link Account Manage Resources â