Fauna security model

Of the many things I love about Fauna, the one that first comes to mind is its security model. I just released an app. In its earliest stages I had an incomplete understanding of what I wanted to achieve, so I started with what I knew: it had to have user authentication. Afterwards, I just concentrated on writing all the parts that make it work, without any more thought of security. In the end, I had something special. It became clear that it was community-based, where sharing one’s work was paramount, but I wanted to ensure that no one could modify my work, only view it. At that moment, the security model was clear, and roles quickly followed.

My question is: “How does Fauna’s security model compare to other vendors, specifically MS SQL Server?” It has been about 8 years since I last worked with SQL Server. My recollection was that it couldn’t “hold a candle” to Fauna, by comparison. Is this still true, today?

Thank you.

1 Like

I believe you are correct; although I haven’t used SQL Server in a long time, I have recently looked at the docs again.

Like all SQL databases, the authentication and access control model is fundamentally administrator-centric, not user centric. Additionally SQL Server is still heavily tied to the Windows accounts/groups model. Although it does have a support for password-based user authentication, roles, and row-based access control, the row-based AC requires defining a custom function on every table in the database to secure the rows, along with defining roles for access to the tables themselves. It is also not an additive (or whitelist) based model which makes security holes more likely, especially in conjunction with the possibility of SQL injection. It is much easier to start from no access and incrementally allow various rights than the other way round.

IMO it would be a challenge, both in development complexity and scalability, to implement something similar to Fauna’s web-native security model in SQL server. In particular, token access looks basically impossible at the user level.

1 Like

Thank you very much for your reply, Evan.

May I ask for clarification? Your last sentence, second paragraph you said: “It is much easier to start from no access and incrementally allow various rights than the other way round.”

By saying “it”, do you mean “SQL Server,” or “development, in general?” I take it that you mean development. If so, I wholeheartedly agree!

As a general rule in all development, which SQL databases violate.

Thank you very much, Evan!