Updated 2009-05-23
There seems to be a consensus to choose AuthLogic or restful_authentication as the Rails way of securely identifying the users, at least with local user databases (in contrast to e.g. OpenID authentication). For restricting the access rights of the individual users, i.e. authorization, the situation is different with lots of alternatives. This is probably due to the varying requirements that projects have in the case of authorization. While there are lists and surveys of Rails authorization plugins, I was missing an overview that could help in the decision making process of choosing the right plugin for my specific requirements.
I tried to examine each plugin according to a few aspects.
- Access control may be enforced on different layers, in the model, for controller actions and in views.
- Most plugins have some user and role concept for restricting access. Authorization constraints allow more fine-grained decisions, though, by defining conditions that need to be met, probably on a context object, in order to grant access.
- It is common to define access rules through Access Control Lists (ACL) whereby an object has a list of users or roles that are allowed to operate on the object. ACLs may increase authorization maintenance as new users or roles need to be added at multiple places. In contrast, Privileges, as known from RBAC, are a further abstraction. Thus, users or roles may possess privileges, which are, on the other hand, assigned as a requirement to operations on the objects.
- Simplicity helps so that it is a common rule to use the least complex solution possible for a given task. While it is difficult to evaluate complexity without working in-depth with an authorization plugin, I still tried to give a rough estimate of each plugins complexity from an application developer’s point of view.
My conclusion (disclaimer: I’m the author of declarative_authorization): depending on the size of your project, you face roughly three options:
- Go for a simple solution which most likely won’t cover all the edge cases, like role_requirement.
- Follow a simple recipe and roll your own authorization mechanism. This way, you won’t depend on any maintainer to keep the plugin up-to-date. Also, it will be easier to modify it to your requirements.
- If you see more complex scenarios on the horizon, say more than three roles, maybe even role hierarchies, you should seriously look into the more complex, but also more maintainable options, such as declarative_authorization. Having all your authorization rules in one place helps greatly when the rules need to be modified.
A table of the evaluated authorization plugins, roughly sorted by activity:
| Restrictions for | M | C | V | Constraints | Privileges | Complexity | Activity |
|---|---|---|---|---|---|---|---|
| Authorization | Yes | Yes | No | Yes | No | medium | recently |
| Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances | |||||||
| declarative_authorization | Yes | Yes | Yes | Yes | Yes | medium | recently |
| Declarative approach: separation of authorization logic from program code for maintainability | |||||||
| acl9 | No | Yes | Yes | Yes | No | medium | recently |
| Access control list with simple role model allowing to bind roles to specific objects. Constraints through custom has_role methods on models. | |||||||
| RESTful_ACL | Yes | Yes | Yes | Yes | No | simple | recently |
| Restrictions based on permission methods on models for CRUD operations; no role concept built in; seems to be restricted to CRUD controller actions | |||||||
| Padlock Authorization | Yes | Yes | No | Yes | No | medium | recently |
| Allows for objects to have roles according to specific users. | |||||||
| redpill_access_control | No | Yes | Yes | No | No | medium | recently |
| Uses access restrictions to controller actions for restrictions in views. | |||||||
| Authorize | No | Yes | Yes | No | No | high | recently |
| Has a subject/trustee concept for specifying relationships regarding authorization. | |||||||
| role_requirement | No | Yes | No | No | No | simple | recently |
| Role-based ACLs for restrictions on controller actions | |||||||
| ActsAsAuthorizable | Yes | No | No | Yes | No | medium | 2008 |
| Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances | |||||||
| base_auth | Yes | Yes | Yes | Yes | No | simple | 2008 |
| User object-based restrictions on controller actions and views | |||||||
| Role-ful | Yes | No | No | Yes | Yes | medium | 2008 |
| Defines roles in the user object that can be queried through instance methods. | |||||||
| Easy Access | Yes | No | No | Yes | Yes | simple | 2008 |
| Helps defining can_be_[action]_by on the model. | |||||||
| Blubber | No | Yes | No | No | No | simple | 2008 |
| Used by defining [role]_acl methods on the controller. | |||||||
| acts_as_checkpoint | Yes | Yes | No | Yes | No | simple | 2008 |
| Role-based restrictions on controller actions; simple model restrictions through methods on models, employing associations | |||||||
| ActsAsPermissible | Yes | No | No | No | No | medium | 2008 |
| Provides the basic necessity of authorization: the model methods for assigning permissions and roles to users and retrieving the merged permissions. | |||||||
| acl_system2 | No | Yes | Yes | No | No | simple | 2007 |
| Role-based ACLs for restrictions on controller actions and in views; similar: Simple Access Control | |||||||
| ActiveRbac | No | Yes | No | No | Yes | medium | 2007 |
| Implements only the queries on model instances for access rights | |||||||
| access_control | No | Yes | No | No | No | simple | 2007 |
| Simple controller action restrictions based on Unix-style rwx ACLs | |||||||
| UserEngine | No | Yes | No | No | Yes | medium | 2006 |
| Controller/action-based privileges assigned to roles for filtering access to controller actions | |||||||
| ActiveAcl | Yes | No | No | Yes | Yes | high | 2006 |
| Complex database design to allow arbitrary user – role – privilege – object relations | |||||||
Let me know if I missed important aspects of those plugins or other plugins that you like.
Thanks for reviewing RESTful_ACL!
Posted by Matt Darby on August 14th, 2008.
Thanks for checking out acts_as_checkpoint, as well.
Posted by Brian Langenfeld on August 15th, 2008.
[...] looked through quite a few existing Rails authorization plugins, we decided, we were in need of a different approach. Mainly, it was the missing separation of [...]
Posted by steffenbartsch — Delclarative Authorization on September 4th, 2008.
you forgot to mention the acts_as_permissible (http://github.com/NoamB/acts_as_permissible/).
Posted by Marcus Derencius on September 11th, 2008.
Thanks. I added that one.
Posted by Steffen Bartsch on September 11th, 2008.
[...] de resolver o problema porém ainda faltava maior suporte. Pesquisei plugins e encontrei esse review, muito bom por sinal, nele o autor cria uma nova solução completa separando a lógica do acesso [...]
Posted by Controle De Acesso Em Rails « Bernardo Rufino on January 21st, 2009.
excellent,
this is a very well done comparision …
… and your solution is fantastic, i hope it will become the de-facto std as AAA
Posted by cs on February 24th, 2009.
Can you add acl9?
It looks like there has never been any clear “winner” in the ACL department for rails… at least not with a good range of features like yours has. I think I’m going to start with role_requirement because it’s really simple to get me started, although I think long term I’ll switch to something more capable. Also, more people seem to be using role_requirement, as far as I can tell (probably again because of the simplicity).
Posted by sbwoodside on May 22nd, 2009.
I added acl9, thanks for mentioning it.
I don’t think there needs to be any “winner”. For simple requirements, such as admin and guest users, role_requirement will be fine. If you already expect more complex scenarios, I strongly suggest looking into declarative_authorization.
Steffen
Posted by Steffen Bartsch on May 23rd, 2009.
Very nice plugin you have. Any reason why not to store the authorization rules into the database? I really want to use your plugin, but I want to let users administer rules and roles. Any plans for a addon someday?
My programming skills are sadly not good enough to write such a solution. Or do you have any other idea for a solution?
Regards
PS: Du kannst mir auch gerne ein Email schreiben und dann unterhalten wir uns weiter auf Deutsch :)
Posted by tvdeyen on October 28th, 2009.
Please, use the decl_auth Google Group for any questions regarding the plugin. Thanks.
Posted by Steffen Bartsch on October 29th, 2009.
[...] Rails Authorization Plugins [...]
Posted by Ruby on Rails : Screencast: Declarative Authorization on November 16th, 2009.
Thank you for this comprehensive list of authorization plugins, it is very useful. Could you add CanCan to this list? It is a plugin I’ve been working on which is very simple (currently under 100 lines of code) but offers a lot of flexibility.
http://github.com/ryanb/cancan
Posted by Ryan Bates on November 17th, 2009.
Looks interesting. I added cancan to my backlog. Hopefully, I will update the list soon.
Posted by Steffen Bartsch on November 17th, 2009.
What do you thing of Lockdown [1] ?
[1] http://stonean.com/page/lockdown
Posted by andresgutgon on November 17th, 2009.
Lockdown is already on my backlog. I really need to revise this post.
Posted by Steffen Bartsch on November 18th, 2009.
+ 1 for adding CanCan to the list: it is actually really usable, and could manage simple to complex scenarios
(thank you, Ryan Bates)
Posted by Luca B. on February 6th, 2010.
It seems that none of these plugins allow for dynamic permission setting (where an admin can grant permission on specific objects to roles in a live system).
Did I miss something?
Why not store the permissions in a table rather than in a file?
Posted by Brad Langhorst on February 24th, 2010.
[...] I’m aware there are quite a few other plugins out there. If you found another one and you’re very happy about it, please share. Tagged [...]
Posted by Choosing an authorization framework for rails « Jabberwocky on February 26th, 2010.
Hi,
Looks like you haven’t added Cancan yet to your list.
That would be a great plus to this already very good reference page.
Thanks in advance ;-)
Posted by Julien Palmas on May 26th, 2010.
Hi,
some people have asked for a plug-in that could keep the roles assignment in the database, so that the role management can be dynamically configured. Is anyone aware of a good plug-in that implements this requirement?
Many thanx in advance!
Posted by sermojohn on September 7th, 2010.
+1 for updating this really useful list, and adding Can Can :-)
It would be good to provide an example or tutorial on how to integrate declarative_authorization with devise
Posted by Tilo on April 16th, 2011.
been checking one by one on the list, and the most part of it is outdated/left/does’nt exist.
this list must definitely be updated!
Posted by vladimir prieto on April 26th, 2011.
[...] There are so many plugins available outside for implementing this Authorization. I decided to do it on my own since this is a simple authorization application, but if you want to go for complex scenarios I suggest you check this link [...]
Posted by Rails Application with Authentication and Authorization « Spritle’s Blog on February 14th, 2012.