Best Practices for Handling Authorization in Complex SaaS Solutions: Seeking Alternatives to Pundit

This message was imported from the Ruby/Rails Modularity Slack server. Find more info in the import thread.

What is everyone using nowadays to deal with authorization?
Thinking about solution for complex SaaS solutions.

In the past I’ve been a big fan of Pundit and its permission model, but I was curious how other people do it in case there’s some new pattern I’m unaware of.

The reason I like Pundit is because it helps answering the most important questions:

  1. Can [user] perform [action] on [resource]? (e.g. Can User#1234 delete Receipt#6789?)
  2. Which [resource_type] can [user] access? (e.g. Which receipts can User#1234 access?)
    However complex system can have more complicated abstractions like permissions, roles, and so forth. And these can be hard to elegantly fit into the structure described above

Message originally sent by slack user U73XO64MQ9Y

@iMacTia I’ve been impressed with the work of permit.io as they have some good scalable Ruby solutions and support RBAC, ABAC, and ReBAC

Interesting, will definitely take a look.
Thank you for sharing :bow: !

There are some interesting things happening with OpenFGA, but I haven’t used it in a production application. Unfortunately, they don’t have an official ruby SDK but there is a community one (I can only post two links but check openfga/community on github).

If you haven’t looked at casbin before that might be another one that provides more advanced features and configuration than Pundit.

1 Like

We adopted Action Policy (GitHub - palkan/action_policy: Authorization framework for Ruby/Rails applications), as it lent itself better to supporting the Pundit capability while being easier to tie into our Rails modular monolith.