Specifications
51
A ‘permission’ is a special part of a policy. It adds the final level of control to the access control
framework. As we have seen, not only can we control what resources a principal can access, but with
this sub-element we can add a lower-level layer to control exactly the functionality a user can perform
on any given resource.
For example as the diagram below shows, the policy is associated with a resource but the permissions
on the resource only permit the associated principal to use the resource despite the resource itself
having further actions such as editing, assigning etc .
With permissions we are able to lock-down control to the actions of the resource itself.