Implementing Authorization using Role Based Access Control (RBAC) in Phoenix Web Applications
By James Moore
Want to learn more about Elixir & Phoenix?
Checkout my new course: Elixir & Phoenix for Beginners
Setting up Authorization in Phoenix web applications
Here's an exchange I've had on a few occasions when discussing a new web app project:
Ok, I can't blame Bob for not wanting to talk about security and authorization, it's not interesting or fun, however dodging these types of questions can leave us, developers, in a tough spot.
So what do you do in a situation like this, where the details are vague, but you've got to start implementing something?
Well, you need to be careful, because you're facing a couple of big risks.
Without clear direction, you might end up:
- Adding too few authorization features
- or adding unnecessary authorization features.
Here's my suggestion, for dealing with authorization when the requirements are vague.
Choose an approach that:
- is simple and well understood
- is widely adopted
- follows the 80/20 rule (on features)
So what approach is simple and well understood?
This would have to be Role Based Access Control (RBAC), which is been around for almost 3 decades. RBAC doesn't solve every authorization problem you might have, but it is relatively simple, and well understood.
So what's the most widely adopted approach?
Well, that would have to be Role Based Access control as well, in fact, most larger businesses use some form of Role based access control, in the systems they use.
What do I mean by "follows the 80/20 rule"?
It means, choosing the solution that takes ~20% of the effort, compared to the more sophisticated options, yet it covers ~80% of the use cases you have.
Role Based Access Control, feels like the perfect 80/20 solution.
So, how might you implement Role Based Access control in a Phoenix Web application?
Check out the above free screencast to learn more.