I am a little confused on the contextual differences between permission and privilege from computer security perspective.Though I have read the definition of both the terms but it will be nice if someone can give me some practical example e.g.
User A can read write file X
What is privilege and permission in this case ?
In computer security, they are used interchangeably.
In the context of rights, permission implies consent given to any individual or group to perform an action. Privilege is a permission given to an individual or group. Privileges are used to distinguish between different granted permissions (including no permission.)
A privilege is a permission to perform an action.
Also from the above english.se link
A permission is a property of an object, such as a file. It says which agents are permitted to use the object, and what they are permitted to do (read it, modify it, etc.).
A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to access an object that it does not have permission to access, and privileges which allow an agent to perform maintenance functions such as restart the computer.
So in your example the privilege is having the permission to write the file 'x'
They are normally pretty interchangeable, though I've heard some systems where the permission is the thing that an action demands and the privilege is what the user has. So a user might be granted a privilege that corresponds to the permission being demanded, but that would really be semantics of some systems and isn't always the case.
Either way, unless you have a more specific situation where it's causing you problems, it's normally more of a semantic difference.
yes, they are subtly different (but only if you are fully modelling Role Based Access Control (RBAC)):
consider an ER model for role based authorisation:
bringing that together a little bit, we can say: + an individual (who has an online identity), performing a role is given permission to perform functions in applications
So:
HOWEVER, many designers don't bother separating individual and role or don't separate function and application and so the difference between privilege and permission is missed. In my experience, you often see this when someone says "use AD groups to store RBAC" - this is a serious anti-pattern.
In a world where there are requirements to report on toxic combinations and granular permissioning is more common place then it the data model for storing RBAC is very much more important.
In conversation, as many answers have said, the two are typically interchangeable.
Some of the possible contextual differences between the two as used by various computer environments are inherent in the connotations of the two words.
A permission is asked for, a privilege is granted. When you think about the conversational use of the two words, the "proactive" use of a permission (the first action typically taken by any subject in a sentence within a context) is to ask for it; the "reactive" use (the second action taken in response to the first) is to grant it. By contrast, the proactive use of a privilege is to grant it, while the reactive use is to exercise it.
Permissions are situation-based; privileges are time-based. Again, the connotation of the two terms is that permission is something that must be requested and granted each and every time you perform the action, and whether it is granted can then be based on the circumstances of the situation. A privilege, however, is in regard to some specific action that the subject knows they are allowed to do, because they have been informed once that they may do this thing, and then the subject proceeds to do so without specifically asking, until they are told they can no longer do this thing.
So typically, as used in IT security, privileges determine permissions. A user, though their account, is granted the privilege of reading a particular type of record (or a particular record) by the administrator of a system; this is typically done once, or as needed over time. The application, acting on behalf of the user who has authenticated themselves using the account, then asks for permission to perform an action each and every time it must do so, and the system grants this permission in each situation after examining the privileges of the user.
Privilege is almost always used in the context of system actions and abilities of the user in regards to non-object specific tasks and frequently refer to interactions with the system or application itself. * Add/remove user accounts. * Add/remove hardware devices. * Install applications.
Permissions are (generally) used in the context of filesystems (or objects that are referred to as part of the filesystem such as the /dev directory in *nix). You will set up a list of permissions on an object (file) that determines what specific people can do to that object.
It is generally the combination of privileges and permissions that determines someone's overall access to a system. If I have permission to access a specific file on a Windows system, for example, but I do not have the privileges to log on to this system locally or through the network, then I can't actually access it, even though the file's ACL (Access Control List) says that I can.
I'm curious, what exactly do you think is the contextual difference between the two?
I have seen (and used) both terms interchangeably. I have never seen anyone making a distinction between the two terms before. They both refer to whether someone has the rights to perform a particular action.
