# Authorization and Access Control

In ONEWEB, **security is enforced through the combined mechanisms of authentication and authorization**.\
Once a user is successfully authenticated, **authorization and access control** determine **what resources the user is allowed to access and what actions they are permitted to perform**.

While authentication answers *“Who are you?”*, authorization answers the equally critical question:

> **“What are you allowed to do?”**

***

### Purpose of Authorization & Access Control

Authorization and access control are designed to:

* Protect application resources from unauthorized access
* Ensure users can perform only permitted actions
* Enforce separation of duties
* Support compliance, auditability, and governance requirements
* Reduce risk by limiting access to sensitive data and functionality

These controls ensure that authenticated users operate strictly within their assigned scope.

***

### Authorization Model in ONEWEB

ONEWEB implements a **Role‑Based Access Control (RBAC)** model.

#### Core Concepts

* **Users** are assigned one or more **roles**
* **Roles** are granted **permissions**
* **Permissions** define access to specific resources and operations

This model defines precisely **what a user or role can and cannot do** within the system.

***

### Access Control Components

#### Users

Users represent human or system identities authenticated through:

* **LDAP authentication**
* **Local repository authentication** in ONEWEB

***

#### Roles

Roles group permissions into meaningful access profiles, such as:

* General user
* Approver
* Administrator
* Auditor

Assigning roles instead of direct permissions simplifies administration and supports scalable access management.

***

#### Permissions

Permissions define:

* Which application objects can be accessed
* Which operations are allowed (e.g., view, create, update, delete, execute)

Permissions are always granted to roles—not directly to users.

***

### Authentication vs Authorization

| Aspect     | Authentication        | Authorization              |
| ---------- | --------------------- | -------------------------- |
| Question   | Who are you?          | What can you do?           |
| Focus      | Identity verification | Access control             |
| Occurs     | First                 | After authentication       |
| Managed by | Identity mechanisms   | Role & permission policies |

Both mechanisms must work together to provide effective security.

***

### Supported Authentication Sources

Authorization in ONEWEB works consistently regardless of authentication method:

* **LDAP Authentication**
  * Centralized enterprise directory
  * Role mapping based on directory attributes
* **Local Repository Authentication**
  * Users and roles managed within ONEWEB
  * Suitable for smaller deployments or isolated systems

In both cases, authorization decisions are based on assigned roles and permissions.

***

### Security & Compliance Considerations

Effective authorization and access control help organizations:

* Enforce least‑privilege access
* Reduce insider threat risks
* Support audits and regulatory compliance
* Maintain clear accountability
* Prevent unauthorized data exposure

Misconfigured roles or overly broad permissions are a common cause of security incidents, making careful design essential.

***

### Best Practices

* Design roles based on business responsibilities, not individuals
* Apply the **principle of least privilege**
* Review role assignments regularly
* Avoid granting administrative permissions unnecessarily
* Log and audit authorization‑related events

***

### Summary

**Authorization and Access Control** in ONEWEB ensure that authenticated users can access only the resources and operations explicitly permitted to them.

Key takeaways:

* ONEWEB uses **role‑based access control (RBAC)**
* Users are assigned roles, and roles define permissions
* Authorization is enforced after successful authentication
* LDAP and local authentication are both supported
* Proper access control is essential for security and compliance

A well‑designed authorization model is central to building **secure, compliant, and governable applications** on the ONEWEB platform.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onewebstack.com/building-apps/security-and-compliance/authorization-and-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.