loading...

Implementing Authorization using Role Based Access Control (RBAC) in Phoenix Web Applications

knowthen profile image James Moore Originally published at knowthen.com ・2 min read

Setting up Authorization in Phoenix web applications

Here's an exchange I've had on a few occasions when discussing a new
web app project:

Authorization Conversation

Ok, I can't blame Bob for not wanting to talk about security and
authorization, it's not interesting or fun, however dodging these types of
questions can leave us, developers, in a tough spot.

So what do you do in a situation like this, where the details are vague, but
you've got to start implementing something?

Well, you need to be careful, because you're facing a couple of big risks.

Without clear direction, you might end up:

  • Adding too few authorization features
  • or adding unnecessary authorization features.

Here's my suggestion, for dealing with authorization when the requirements
are vague.

Choose an approach that:

  • is simple and well understood
  • is widely adopted
  • follows the 80/20 rule (on features)

So what approach is simple and well understood?

This would have to be Role Based Access Control (RBAC), which is been around
for almost 3 decades. RBAC doesn't solve every authorization problem you
might have, but it is relatively simple, and well understood.

So what's the most widely adopted approach?

Well, that would have to be Role Based Access control as well, in fact, most
larger businesses use some form of Role based access control, in the systems
they use.

What do I mean by "follows the 80/20 rule"?

It means, choosing the solution that takes ~20% of the effort, compared to the
more sophisticated options, yet it covers ~80% of the use cases you have.

Role Based Access Control, feels like the perfect 80/20 solution.

So, how might you implement Role Based Access control in a Phoenix Web
application?

Check out the above free screencast to learn more.

Links

Screencast Git Repo

Phoenix LiveView

Authorization In Elixir & Phoenix with pow and pow_assent

Want to learn more about Elixir & Phoenix?

Checkout my new course: Elixir & Phoenix for
Beginners

Discussion

pic
Editor guide