Why Calling Everyone a “User” Undermines Security and Design

Problem with generic “user” concept

When a system models every participant as a generic “user”, the model often fails to capture distinct business roles, leading to redesign effort and security flaws.

Typical mistakes

The term “user” rarely matches the actual business requirement.

Using a single “user” entity conflates human actors with software identities, creating a confused‑deputy security problem.

Illustrative examples

Ticket‑booking system

Requirements include:

Traveler can view a reservation using a reservation code.

Buyer can modify a reservation by providing the last four digits of a credit‑card.

Travel agency can view and edit its bookings.

Airline staff can edit reservations based on role and passenger ID.

These map to distinct actors – traveler, buyer, agency, airline staff – not a single “user”. Access control should be expressed in terms of these roles and the credentials they present.

Unix/POSIX environment

POSIX defines “users” for login accounts, but the same term is also used for service accounts (e.g., nginx running as httpd), shared admin accounts, and the root account. Because all are labeled “users”, policies such as “only Alice and Bob may log in via this account” become impossible to express without additional attributes.

SaaS multi‑tenant services

In a SaaS product a paying organization (team) may have many members. Treating every person as a “user” prevents a clean separation between the billing entity (team) and the individuals who act on its behalf (members). A proper model distinguishes team (organization, payment, role hierarchy) from member (actual actor).

Security consequences

The ambiguous “user” merges two concepts:

A real person.

The software representation of that person (account, token, process).

This conflation can cause a Confused Deputy situation. For example, a browser running under a system account is treated as the same “user” as the human, allowing malicious web content to perform actions (e.g., file upload) on the user’s behalf.

Value of precise early design

Spending a few hours at project start to define concrete terminology (e.g., traveler, agent, service account, team, member) reduces later redesign, improves security policy expressiveness, and makes the codebase easier to maintain.