LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you create a Role-Based Access Control Matrix?

Build a grid with one row per role and one column per resource, then fill each cell with the actions that role may perform (C/R/U/D, or "-" for none) — including ownership scope like "own records only".

An Access Control Matrix is just a table that makes every "role × resource" decision explicit, so no combination is left undefined.

How to build one (general method):

  1. List every role in the system (down the left).
  2. List every resource / endpoint (across the top).
  3. In each cell, write the allowed actions — Create, Read, Update, Delete, or - for no access.
  4. Add ownership scope where it matters: "R (own)" means a role can only read its own records, not everyone's.

Worked example — a small online-banking app with three resources (/account/ for bank accounts, /news/ for public news articles, /transaction/ for money transfers) and four roles:

Role /account/ /news/ /transaction/
User (a customer) R (own) R R (own)
PR-Employee (publishes news) - CRUD -
Client Advisor (manages assigned clients) R R R (clients)
Public (not logged in) - R -

Reading the grid: a customer can read only their own account and transactions; a PR employee can fully manage news but touch no financial data; a client advisor can read the accounts/transactions of their assigned clients only; an anonymous visitor can read public news and nothing else. The "(own)" / "(clients)" notes are the crucial part — without an ownership check, "User can Read /account/" would let one customer read every customer's account.

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026