Hacker News new | comments | show | ask | jobs | submit login

I do authentication in terms of operations a.k.a. claims a.k.a. attributes, such as "Can Create User".

These are simple, easy to understand, and provide good flexibility.

If you enjoy using roles that's fine too: for example you can create an "Admin" role that grants permissions to do many operations. In other words the Admin role has many claims.

In your authorization code, you check the operation, not the user nor the role.

In your database or ORM, you can create these tables: users, users-roles, roles, roles-operations, operations.

We have a detailed writeup here: https://github.com/SixArm/sixarm_ruby_rbac

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact