docs: describe the ReBAC model and how it differs from RBAC

1 files changed, 18 insertions, 0 deletions

diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md
index 52d330f8..fd72bbc9 100644
--- a/doc/share/authz/README.md
+++ b/doc/share/authz/README.md
@@ -157,6 +157,24 @@ A Social Network System (SNS) maintains a social network for at least two reason
 2. The social network is used as a basis for formulating the access control
    policies of user contributed resources.
 
+Access Control Paradigm:
+
+1. the explicit tracking of one or more social networks by the protection system
+1. the expression of access control policies in terms of the relationship
+   between the resource owner and the resource accessor
+
+Suited for domains in which relationship and authorization decisions are from
+the structure of trust that is inherent in the application domain rather than
+subjective assessment of users.
+
+It is more natural to base authz decisions on whether the resource owner and
+accessor are in a particular kind of relationship.
+
+In a standard RBAC system, when a permission `p` is assigned to role `R`, we are
+essentially formulating the following policy: `grant p to user u if R(u)`.
+
+PriMA is another recently proposed privacy protection mechanism for SNSs.
+
 References
 
 * [Relationship-Based Access Control: Protection Model and Policy Language by Philip W. L. Fong](https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf)