Defining scopes with relationship-based access control

question 3 connections

Audience question: Pundit lets you define scopes within a policy for filtering collections — what is the pattern with relationship-based access control? Answer: ReBAC doesn't give you that for free; you have to explicitly query the graph. Pundit is a 'black box of logic' that accepts any Ruby code, while FGA is intentionally constrained — you must declare relations, which is a trade-off.

answer_summary

ReBAC has no built-in scope mechanism; you must explicitly query the relationship graph. Pundit is more flexible but less structured.

question Defining scopes with relationship-based access control

about

Pundit tool

Compares ReBAC to Pundit's scopes feature.

question Defining scopes with relationship-based access control

about

Fine-Grained Authorization concept

Discusses what ReBAC gives (and doesn't give) for collection filtering.

question Defining scopes with relationship-based access control

asked_at

No 'Pundit' Intended talk

Audience Q&A following the talk.

Provenance

Created in: No 'Pundit' Intended — Rails Authorization by Yatish Mehta 2026-04-18 07:44