---
title: InfluxDB 3 Enterprise authentication and authorization
description: InfluxDB 3 Enterprise uses an Attribute-Based Access Control (ABAC) model to manage permissions for authentication (authn) and authorization (authz).
url: https://docs.influxdata.com/influxdb3/enterprise/reference/internals/authentication/
estimated_tokens: 724
product: InfluxDB 3 Enterprise
version: enterprise
---

# InfluxDB 3 Enterprise authentication and authorization

InfluxDB 3 Enterprise uses an Attribute-Based Access Control (ABAC) model to manage permissions and supports multiple token types for different authentication scenarios.

This model allows for fine-grained control over access to resources and actions within an InfluxDB 3 Enterprise instance.

The ABAC model includes the following components:

-   **Authentication (authn)**: The process through which a user verifies their identity. In InfluxDB 3 Enterprise, this occurs when a token is validated. Users may be human or machine (for example, through automation). InfluxDB 3 Enterprise tokens represent previously verified authenticated users that facilitate automation.
    
-   **Authorization (authz)**: The process that determines if an authenticated user can perform a requested action. In InfluxDB 3 Enterprise, authorization evaluates whether a token has permissions to perform actions on specific resources.
    
-   **Context**: The system may use contextual information, such as location or time, when evaluating permissions.
    
-   **Subject**: The identity requesting access to the system. In InfluxDB 3 Enterprise, the subject is a *token* (similar to an “API key” in other systems). Tokens include attributes such as identifier, name, description, and expiration date.
    
-   **Action**: The operations (for example, CRUD) that subjects may perform on resources.
    
-   **Permissions**: The set of actions that a specific subject can perform on a specific resource. Authorization compares the incoming request against the permissions set to decide if the request is allowed or not.
    
    In InfluxDB 3 Enterprise, *admin* tokens have all permissions, while *resource* tokens have specific permissions. Resource tokens have fine-grained permissions for specific resources of a specific type. For example, a database token can have permissions to read from a specific database but not write to it.
    
-   **Resource**: The objects that can be accessed or manipulated. Resources have attributes such as identifier and name. In InfluxDB 3 Enterprise, resources include databases and system information endpoints.
    
    -   Database tokens provide access to specific databases for actions like writing and querying data.
    -   System tokens provide access to system-level resources, such as API endpoints for server runtime statistics and health. Access controls for system information API endpoints help prevent information leaks and attacks (such as DoS).

#### Related

-   [Manage tokens](/influxdb3/enterprise/admin/tokens/)