It certainly helps to have the authorization rules in your Rails app defined in a clear DSL, such as the one offered by declarative_authorization. Still, with anything more than a few roles and models (let’s not even think about 200 models), it can be hard to maintain a good view of the whole rules set.
So, how about a graphical browser of your authorization rules? In particular inheritance between roles and privileges – and consequences thereof – may be much easier to grasp in a graphical way. This is how it looks in the declarative_authorization demo application:
Roles are shown in colored ovals and are connected to privileges in the context boxes. Inheritance links between roles and privileges are displayed in black, with unfilled arrows. Filled circles on role-privilege links show additional rules that apply.
You can filter to dig deeper into the rules and limit the view to certain roles or contexts. Also, you can decide to only display those privileges that are explicitly stated in the authorization configuration or all privileges that the roles possess.
If you are interested, give it a try. Either in the declarative_authorization demo application or in your own application. The declarative_authorization README tells you the one simple step to get it started. This feature requires graphviz for graph generation and Rails 2.3 for its Engine support.
On the long run, we’d like to integrate multiple abstraction levels for different viewing audiences and we might even add authorization rule editing capabilities.
What do you think? Does this help you as a developer or in discussions with non-technical customers about authorization?