Privileges vs Membership abac

From the docs:

  • A privilege configuration object defines, for a given resource, what actions are permitted.
  • A membership configuration object dynamically defines which authenticated resources are members of a given role.

I’m struggling a bit to understand how these differ / which one to use.

Say I have a collection of users.
Some of them have a property like type: default which means they should only be able to read other users and write their own user object.
Some have type: adminwhich means they can read and write to all users.

For this scenario, which of these approaches is the right one?

  1. Set up 2 custom roles (one for default, one for admins) and then use the membership parameter to determine what role they belong to via the user.type attribute
  2. Set up 1 custom role (where all users are members) and for each permission type set a lambda that dynamically checks whether a user is of type admin or is editing his own account?

Just for clarity, privileges specify what can be done, and membership specifies who can use those privileges.

Overall, there is little difference between the two approaches that you have outlined. The same amount of “work” needs to be done to grant privileges. However, the first approach incurs an additional read operation to fetch the second role. That extra read operation could add up over time; roles are evaluated for every query sent to Fauna.

2 Likes