Developed system of differentiation of rights

An advanced system of access rights differentiation is implemented in Tengri.

Supported principles

Tengri supports the principles of DAC and RBAC.

DAC: Discretionary Access Control: each object has an owner who can grant access rights (privileges) to the object to other users.
RBAC: Role-based access control: access rights (privileges) are assigned to roles, which in turn are assigned to users.

Key concepts of a rights-based system

Protected object

An entity to which access (privileges) can be granted. If access to this protected object is not allowed, it will be denied.

Role

An entity to which access rights (privileges) can be granted. Roles can be assigned to users or to other roles. Assigning a role to another role creates a role hierarchy.

Privilege

A specific level of access to an object. Assigned to users or roles. Privileges assigned to roles or users allow access to objects to be protected. Can be revoked from roles or users.

Several different privileges can be used simultaneously to control the granularity of the access granted.

User

An identifier associated with a person or service. A user is an object that can be granted privileges.

For details on how to work with the rights differentiation system, refer to the sections: