richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Sparks/CRUD Matrices.md

44 lines
2.9 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
tags:
- infosec
- type/explainer
---
A CRUD matrix defines what actions a user (or process) is allowed to perform on a certain object, typically a data entity such as a table or record in a database.
CRUD is an acronym for:
- Create - to create and store new data
- Read - to retrieve and read data
- Update - to change or modify then store the data.
- Delete - to delete or remove the data
It is very valuable to combine a CRUD Matrix with the analysis of _user_ processes within the system, especially in the context of the _actors_ and _roles_ involved to complete the picture. ([source](https://www.unified-am.com/UAM/UAM/guidances/guidelines/uam_crud-matrix_F56BDB11.html))
This is a simple form, showing what access or usage an organizational role has with a particular object:
| | Create | Read | Update | Delete | Execute |
| --------- | :----: | :----: | :----: | :----: | :-----: |
| Manager | X | | | X | |
| Author | X | X | X | X | |
| Editor | | X | X | | |
| Publisher | | X | X | | X |
(Note that "crude" appears, which is create; read; update; delete; and execute.)
In the form below, we can see which authorizations each role has for different objects:
| | Order | Invoice | Customer | Employee | Product |
| ------------- | :---: | :-----: | :------: | :------: | :-----: |
| Sales VP | CRUD | CRUD | CRUD | CRUD | CRUD |
| Sales Manager | CRUDE | CRUD | RU | R | R |
| Sales Rep | CRUD | R | RU | R | R |
| Stock Manager | - | - | - | R | RU |
A CRUD matrix is a helpful tool for [Access Control Models](Access%20Control%20Models.md), and several well-known CRUD extensions have been introduced to address specific needs, for example:
([source](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete))
- **CRUDL (Create, Read, Update, Delete, List):** Adds a "List" operation to explicitly support retrieving collections of records, which is especially useful in applications where listing and searching are distinct from simple reading of single records.
- **BREAD (Browse, Read, Edit, Add, Delete):** "Browse" and "Add" are used instead of "Read" and "Create," and "Edit" instead of "Update," reflecting terminology that is sometimes more intuitive for end-users or specific application domains.
- **ABCD (Add, Browse, Change, Delete):** Similar to BREAD, this variant emphasizes "Browse" as a separate operation, and "Change" replaces "Update".
- **DAVE (Delete, Add, View, Edit):** Reorders and renames the operations for clarity or branding in certain software contexts.
- **CRAP (Create, Replicate, Append, Process):** Introduces "Replicate," "Append," and "Process" for systems needing more specialized data manipulation actions.
Reference in a new issue View git blame Copy permalink