For anyone who wants to learn what a good authorization system looks like take a look at Tailscale's recent blog post: <a href="https://tailscale.com/blog/rbac-like-it-was-meant-to-be/" rel="nofollow">https://tailscale.com/blog/rbac-like-it-was-meant-to-be/</a><p>Really, if you're going to be selling to enterprise clients, you want an attribute-based authorization system. If you need help designing it, talk to your IT/Devops/SRE teams, they'll be able to complain about bad auth systems and what they'd want in an ideal world.
Interesting project, the post resonated, there are more architectural considerations here: <a href="https://docs.cerbos.dev/cerbos/0.6.0/index.html" rel="nofollow">https://docs.cerbos.dev/cerbos/0.6.0/index.html</a>
Even as a PdM, I've felt the pain here. Usually it manifests as, "we can't solve this user problem because the authorization controls to make this work are too complex."<p>Looking forward to a world where this is a solved problem.<p>Disclaimer: Im friends with the author of the post.
CEO of Cerbos here - we'd love to hear about the other headaches everyone has faced. Authorization as we know it, isn't core to anyone's roadmap and we want to make it as easy as possible to meet the all the crazy requirements.<p>We are building out examples of how to solve common use cases which you can find on <a href="https://cerbos.dev/" rel="nofollow">https://cerbos.dev/</a>
Related and very interesting: <a href="https://news.ycombinator.com/item?id=28543457" rel="nofollow">https://news.ycombinator.com/item?id=28543457</a><p>Good to see more things happening in this space.
Access control is heart and mind of any business logic, is your backend system itself. You cannot outsource it, this is absurd.<p>The main question is "what if it goes wrong?"