Beyond roles and permissions to access control

You can group system permissions by adding them to roles and then assigning the role to a user. So, if a particular role has a view policy document permission, any user with that role can view a document attached to a policy. And, of course, the user must first have access to that policy.

In practice, however, you likely do not want all users to access all objects of the same type. For example, suppose that an object has an associated document that contains information on a famous celebrity. You most likely want to restrict access so that only certain people have access to the personal information contained in this document. You use the PolicyCenter access control feature to make distinctions among objects of the same type and then secure access to them.

While roles and permissions determine what actions a user can perform, access control determines the objects on which the user can act. After you enable access control, a user requires both the correct role and the proper access. To use access control, you apply a security attribute to an object and then determine which users have access to objects with that attribute.