Permission to Evolve
The way authorization starts once a company gets its first customer
What are coarse roles?
Not our ICP
What is a monolith?
An example of the difference between AuthN and AuthZ
What is login (to ensure the person is who they say they are) and the rules that determine what that person is allowed to do?
The ability to add "sharing" permissions to the resources in your application
What is collaboration?
The buttons on the screen that you see on an app
Frontend
We add more if statements to represent more roles
What happens once we start adding more permissions as the app evolves?
One front end, one backend, one database
What is the architecture for a monolith?
OPA
What is commonly used for infra authorization?
The ability to have authorization that only allows customers to use features they pay for
What are entitlements?
Time from the time you click something until the app responds
What is latency?
It's hard to express logic clearly
Why are the Rules/Model Hard?
The question I ask to determine if the customer is a monolith or microservices
How many databases do you have supporting your services?
One is for authorization for internal employees, one is for customer facing authorization
What are conductorone and Oso?
The ability to let customers define their own roles based on a given set of permissions
What are custom roles?
List filtering
How is a database is related to Authorization?
Logic is spread throughout the app which makes it hard to test & hard to audit
Why is enforcement hard?
Code is still hard to understand, decent but not great at testing and preventing bugs. No solution for list filtering
What happens when monoliths centralize authz behind an API?
One is for authentication for internal employees, one is for customer facing authentication
What is Okta and Auth0?
A shift in a biz strategy that triggers customers to add new authorization features.
What do companies do when they move upmarket?
Authorization is on the critical path
Why is uptime & latency so important?
The thing that is used to build most first authorization systems
What is custom code?
CanCanCan
CanCan
Pundit
What are libraries monoliths use to centralize authorization?
5 Keywords for Authz
2 Keywords for Authn
What are:
1. ReBAC, RBAC, ABAC, Permissions, Access Control
2. OAuth, Auth0, SSO, LogIn, Magic Links, SCIM
The difference between Fine-grained authorization and coarse grained authorization
What is authorization at the resource/object level instead of at the feature level?
The way authorization touches on all 3 key pieces in an app
Frontend: what can I show this user?
Backend: Am I allowed to let the user do this?
Database: Storing the authorization data