Here's an exchange I've had on a few occasions when discussing a new
web app project:
Ok, I can't blame Bob for not wanting to talk about security and
authorization, it's not interesting or fun, however dodging these types of
questions can leave us, developers, in a tough spot.
So what do you do in a situation like this, where the details are vague, but
you've got to start implementing something?
Well, you need to be careful, because you're facing a couple of big risks.
Without clear direction, you might end up:
- Adding too few authorization features
- or adding unnecessary authorization features.
Here's my suggestion, for dealing with authorization when the requirements
Choose an approach that:
- is simple and well understood
- is widely adopted
- follows the 80/20 rule (on features)
So what approach is simple and well understood?
This would have to be Role Based Access Control (RBAC), which is been around
for almost 3 decades. RBAC doesn't solve every authorization problem you
might have, but it is relatively simple, and well understood.
So what's the most widely adopted approach?
Well, that would have to be Role Based Access control as well, in fact, most
larger businesses use some form of Role based access control, in the systems
What do I mean by "follows the 80/20 rule"?
It means, choosing the solution that takes ~20% of the effort, compared to the
more sophisticated options, yet it covers ~80% of the use cases you have.
Role Based Access Control, feels like the perfect 80/20 solution.
So, how might you implement Role Based Access control in a Phoenix Web
Check out the above free screencast to learn more.
Checkout my new course: Elixir & Phoenix for