From 9ecf8c07697f3ffad2ea52a6521ef76175abec05 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Fri, 14 Mar 2025 11:14:17 -0600
Subject: docs: describe the ReBAC model and how it differs from RBAC

---
 doc/share/authz/README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'doc/share')

diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md
index 52d330f..fd72bbc 100644
--- a/doc/share/authz/README.md
+++ b/doc/share/authz/README.md
@@ -157,6 +157,24 @@ A Social Network System (SNS) maintains a social network for at least two reason
 2. The social network is used as a basis for formulating the access control
    policies of user contributed resources.
 
+Access Control Paradigm:
+
+1. the explicit tracking of one or more social networks by the protection system
+1. the expression of access control policies in terms of the relationship
+   between the resource owner and the resource accessor
+
+Suited for domains in which relationship and authorization decisions are from
+the structure of trust that is inherent in the application domain rather than
+subjective assessment of users.
+
+It is more natural to base authz decisions on whether the resource owner and
+accessor are in a particular kind of relationship.
+
+In a standard RBAC system, when a permission `p` is assigned to role `R`, we are
+essentially formulating the following policy: `grant p to user u if R(u)`.
+
+PriMA is another recently proposed privacy protection mechanism for SNSs.
+
 References
 
 * [Relationship-Based Access Control: Protection Model and Policy Language by Philip W. L. Fong](https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf)
-- 
cgit v1.2.3