计算机英语中单词privilege和permission的区别

涉及ER图和RBAC知识。

我们要考虑的是角色和认证的ER图（实体关系图）

an application has functions

functions may be performed by roles

identities are given roles

individuals are provisioned with identities

bringing that together a little bit, we can say: + an individual (who has an online identity), performing a role is given permission to perform functions in applications。

So:

the permission is the ER link between the role, function and application, i.e. permissions are given to roles

the privilege is the ER link between an individual and the application, i.e. privileges are given to people.

HOWEVER, many designers don't bother separating individual and role or don't separate function and application and so the difference between privilege and permission is missed. In my experience, you often see this when someone says "use AD groups to store RBAC" - this is a serious anti-pattern.

In a world where there are requirements to report on toxic combinations and granular permissioning is more common place then it the data model for storing RBAC is very much more important.