Skip to content


Access Control

selective restriction of access to a resource


User wants to access a resource

  • example: access your Google Calendar

App mediates access to that resource


  • an action that can be executed on a resource
  • on the resource
    • without Google Calendar, can't have a permission to access Google Calendar



  • privileges given to a user/app
    • privileges have permissions (which are on the resource)


What an app can do on behalf of the user

  • example: read/write

Scopes vs Privileges

Scopes: NOT just privileges for apps

  • scopes are always on behalf of a user
    • privileges must be checked when scopes are used
    • if the user loses the privileges, the scope should reflect that

There are scopes that aren't in the resource permissions or the user privileges


  • OpenID scope
  • return an ID token as the result of the user auth
  • profile, email, address, phone

Scopes vs Permissions

  • some permissions can't be delegated
  • can't be added to a scope
    • example: never allow an app to delete a calendar event


Forma permissions

Permissions ↔ Roles ↔ Group ↔ User

all many to many relationships

Group and User are Django built-ins

Roles are kinda like privileges

We don't have the notion of scopes

Why Groups weren't enough

Permissions on individual resources


Role examples

  • Dashboard Admin
  • Approvals Admin

Last update: 2023-04-24