Permissions are the rules that govern what actions an authenticated identity, whether a user, service account, or system process, is allowed to perform on specific resources. They form the enforcement layer of access control, determining who can read, write, execute, delete, or administer particular data and functionality within a system.
How It Works
Permission systems typically operate on a subject-action-resource model. The subject is the identity requesting access, the action is what they want to do, and the resource is the target. For example, a permission rule might state that users in the "editor" role can update articles but cannot delete them, while "admin" users can do both. The application checks these rules at each access point before allowing the requested action to proceed.
Permissions can be implemented at multiple layers. File system permissions control access to files and directories on the operating system level. Database permissions restrict which tables, rows, or columns a user can query. Application-level permissions govern access to features, API endpoints, and data objects within the business logic. Each layer must be consistent; granting restrictive application permissions means little if the database user has unrestricted access.
A common vulnerability pattern occurs when permissions are enforced on the user interface but not on the underlying API. An application might hide an "Admin" button from regular users, but if the API endpoint behind that button does not independently verify permissions, any user who discovers the endpoint can invoke administrative functions. This is known as broken access control and remains one of the most prevalent vulnerability categories found during security testing.
Why It Matters
Improperly configured permissions are a leading cause of data breaches and unauthorized access. Overly broad permissions violate the principle of least privilege, giving users or services more access than they need and increasing the blast radius when an account is compromised. Security assessments consistently find permission enforcement gaps, especially in applications that check permissions only at the UI layer rather than enforcing them at every API endpoint and data access layer.
Need your application tested? Get in touch.