← Graph

No 'Pundit' Intended

talk 22 connections

wroclove.rb 2025 talk by Yatish Mehta ('Unduple the power of Rails authorization'). Walks through implicit query-scope authorization, CanCan, Pundit / action_policy, and their scaling/refactoring/performance/auditability limits, then introduces Fine-Grained Authorization (FGA, a.k.a. relationship-based access control) based on Google's Zanzibar paper. Uses a project-management app (users, teams, projects, tasks, admin/editor/commenter roles; sensitive-task rule) as the worked example. Presents the author's granity gem, which stores relationships as tuples, navigates them as a graph, supports smart caching, reverse lookups and permission-path audit. Also surveys external FGA-as-a-service providers. Summary path: start with Pundit, add granity for FGA, adopt an external authorization service for truly distributed systems.

type
talk
talk No 'Pundit' Intended
about
Authentication concept
Talk introduces the authentication vs authorization distinction.
talk No 'Pundit' Intended
about
Authorization concept
Core subject of the talk.
talk No 'Pundit' Intended
about
Implicit Authorization concept
First approach surveyed — authorization via query scopes.
talk No 'Pundit' Intended
about
CanCan tool
Surveyed as the second approach, with its scaling limitations.
talk No 'Pundit' Intended
about
Pundit tool
Surveyed as the most popular Rails authorization gem and its limitations at scale.
talk No 'Pundit' Intended
about
action_policy tool
Mentioned as a revised-Pundit alternative with the same philosophy.
talk No 'Pundit' Intended
about
Fine-Grained Authorization concept
Central proposal of the talk: FGA / relationship-based access control.
talk No 'Pundit' Intended
about
Google Zanzibar resource
Cites the Google Zanzibar paper as the foundation of FGA.
talk No 'Pundit' Intended
about
granity tool
Introduces and demos Yatish's granity gem.
talk No 'Pundit' Intended
about
OpenFGA tool
Listed among external FGA providers based on Zanzibar.
talk No 'Pundit' Intended
about
Oso tool
Listed among external FGA providers.
talk No 'Pundit' Intended
about
permit.io tool
Listed among external FGA providers.
talk No 'Pundit' Intended
about
Devise tool
Mentioned as the typical Rails gem for authentication.
talk No 'Pundit' Intended
about
Figma company
Cites Figma's blog claim that ~23% of SQL queries relate to access control.
question How to model sensitive tasks in FGA?
asked_at
No 'Pundit' Intended talk
Audience Q&A following the talk.
question How hard is it to keep authorization relationships in sync?
asked_at
No 'Pundit' Intended talk
Audience Q&A following the talk.
question Defining scopes with relationship-based access control
asked_at
No 'Pundit' Intended talk
Audience Q&A following the talk.
person Yatish Mehta
authored
No 'Pundit' Intended talk
Yatish delivered this talk at wroclove.rb 2025.
takeaway Start with Pundit, add granity for FGA, adopt authorization-as-a-service at distributed scale
from_talk
No 'Pundit' Intended talk
Explicit closing recommendation of the talk.
takeaway Model permissions as a graph, check them as path existence
from_talk
No 'Pundit' Intended talk
Core conceptual insight presented in the talk.
takeaway Tuples must be kept in sync with domain data
from_talk
No 'Pundit' Intended talk
Warning raised in Q&A and reinforced in the talk.
talk No 'Pundit' Intended
presented_at
wroclove.rb 2025 event
Talk delivered at the March 2025 edition of wroclove.rb.

Provenance

Created
2026-04-17 16:18 seed
Last updated in
No 'Pundit' Intended — Rails Authorization by Yatish Mehta 2026-04-18 07:44
Read by
20 extractions