Published | 04/01/2021 |
---|---|
Last Updated | 20/11/2024 |
Authentication and Authorization are 2 security mechanisms to manage user access to a system. They are sometimes used interchangeable but they actually have different functions:
There are many techniques/strategies for authorization, such as:
This post will introduce about RBAC, a popular authroization technique for common web apps, and how to implement a simple RBAC system in Rails with the help from Pundit gem.
Role-based access control is "an approach to restricting system access to authorized users" (Wikipedia). It is about user management and role assignments. What a user could access is defined by their defined roles. A role is a collection of permissions that define actions (an operation on a resource) that a role can do.
Core actors of a RBAC system:
RBAC has advantage of simple to implement and execute but easy to be flooded with role explosions where admins keep adding roles for specific purpose. RBAC is also has difficulties with complex access rules like time-based rules, per asset access.
We're going to setup User
, Role
and Permission
models with these assumptions: