πŸ‘©β€πŸ«
Big ACL Docs
big-acl.comStatusSupport
  • Welcome
  • What is Big ACL ?
  • Getting started
    • Signing up
    • Authoring your first rule
    • Writing Effective Rules
  • Key Concepts
    • Lifecycle of an Authorization Rule
    • Managing Exceptions
  • Authorization Landscape
    • RBAC
    • ABAC
    • ReBAC
    • CEDAR
    • XACML
    • Zanzibar
    • OAuth 2.0 Rich Authorization Requests
  • API
    • Authentication
    • Authorization
  • Connectors
    • Spring Security
    • Open Policy Agent
    • Amazon Verified Permissions
Powered by GitBook
On this page

Was this helpful?

  1. Getting started

Writing Effective Rules

Writing a clear, unambiguous authorization rule is not as easy as it sounds.

An effective rule clearly defines who (user or role), what (actions and resource), and when (conditions and context) access is permitted or denied. This precision reduces misinterpretations, and enhances maintainability.

To craft such rules, use simple language and adopt a consistent structure for rules, such as [Subject] can [Action] on [Resource] when [Conditions]. For example, β€œA developer can access a repository if they belong to the same team or department as the repository owner.”

Leverage logical operators like AND, OR, and NOT to express conditions unambiguously. Test rules against various scenarios to detect overlaps or gaps. For instance, ensure no conflicting rules grant unauthorized access.

Finally, keep authorization rules as atomic as possibleβ€”one rule for one purpose. This modularity simplifies debugging, updates, and auditing. Regularly review and update rules to reflect changing policies or system contexts.

Here are a few examples : β€œA developer can access a repository if they belong to the same team or department as the repository owner.” "A user can edit a document if they have a role of editor or admin and the document is shared with their team." "A back-office user can validate a financial operation if they have the 'manager' role, the operation is associated with their assigned branch, and the operation's amount does not exceed the user's approval limit."

PreviousAuthoring your first ruleNextKey Concepts

Last updated 4 months ago

Was this helpful?