Designing access control (permissions) for an enterprise app is pivotal as these applications keep on evolving by the time the company grows.
Being a designer understanding the access control helps to design user management screens. I am sharing some concepts and ideas based on my long experience in designing SaaS applications.
ACL (Access Control List)
It is a permission-based access control where the user is allowed to perform particular operations. No role is given to the user in ACL but access to a set of operations is given to the different user as he/she is on board.
RBAC (Role-based access control)
ACL is good for a small set of users but managing users will be cumbersome as users of applications grow. RBAC is an alternative approach to manage users without effort as permissions to perform certain operations is grouped as role. In this case changes of permissions are made on roles that are applied globally within the role. You need not change the permission of each user
GBAC (Group-based access control)
RBAC approach becomes inconvenient as the product gets more complex and starts serving many users. Imagine you are trying to onboard new branch of the company and you have to assign roles to hundreds of users one by one.
Within the GBAC model, you can add groups before assigning roles, and role policy is based on the group it will simplify permission control without efforts.
Super admin may want to assign a sub-admin role in a product with a large user base to allow micro permission management. Permission within a group can be inherited in this access control