Published 04/01/2021
Last Updated 20/11/2024

Authentication and Authorization are 2 security mechanisms to manage user access to a system. They are sometimes used interchangeable but they actually have different functions:

There are many techniques/strategies for authorization, such as:

This post will introduce about RBAC, a popular authroization technique for common web apps, and how to implement a simple RBAC system in Rails with the help from Pundit gem.

What is RBAC?

Role-based access control is "an approach to restricting system access to authorized users" (Wikipedia). It is about user management and role assignments. What a user could access is defined by their defined roles. A role is a collection of permissions that define actions (an operation on a resource) that a role can do.

Core actors of a RBAC system:

RBAC has advantage of simple to implement and execute but easy to be flooded with role explosions where admins keep adding roles for specific purpose. RBAC is also has difficulties with complex access rules like time-based rules, per asset access.

Implement a simple RBAC in Rails with Pundit

We're going to setup UserRole and Permission models with these assumptions: