I have spent a fair amount of time “on the side” thinking about authorization rules over the last year. At work, things have gotten sufficiently complex that we are really straining our existing system. At least some of that comes from our choices, a lot of that comes from the domain complexity we have, and some of that comes from Phoenix only having an opinion in the current 1.8 release RC about “how this should be done” leaving us to make our own bad choices.

I’ve largely been insisting on maintaining an RBAC-driven or RBAC-like system. One thing I’ve learned in past versions of our applications is school districts want very fine-grained controls, almost on the level of individuals, and then quickly find out that maintaining permissions for individuals is just an untenable nightmare. But one thing that a school district does and can consistently know is what someone’s job title/role is.

What we’ve come up with are users have roles in an organization 1. A user can have only one role in an organization, but they can have many of these… role-organization combinations. For example, I can be the principal supervisor of ABC Elementary and XYZ Elementary (two role-orgs) and the department head of Elementary Schools (a third role-org). Intuitively, I think this makes sense and is fairly easy to maintain.

But I have really struggled with language around this stuff. What are these role-organization combinations? Is organization or budget or any of these domain-ish terms correct, or is there a better technical term? Scopes come up often, but we extensively used that term elsewhere– now Phoenix supports scopes directly, so oops– and I found the term scope as having specific, inconsistent, and different definitions in different contexts. One doesn’t really have a role in a scope, but rather, has certain scopes by having a role.

Anyway, all this is preamble to say that while I haven’t read it yet, I’m glad that Tom MacWright linked to Zanzibar, something I completely missed when it came out in 2019. Like Tom, the distributed nature of Zanzibar is not of particular interest, but I’m hopeful that the features and concepts introduced will provide me with better language when talking about authorization going forward.

  1. We haven’t full adopted the term organization. It’s a huge pain point. Right now they’re sometimes budgets, a great domain term until you realize it has 10,000 meanings that are easily used interchangeably, and sometimes they’re organizations. But I like to use organization in this context because it’s more generic and easier to explain. ↩︎