Cedar best practices
The best practices included here outline the most up-to-date recommendations to get the most out of using Cedar as your authorization engine.
Best practices
- Define and use naming conventions
- Map actions to the business domain
- Model all permissions in Cedar
- Take advantage of user groups
- Compound authorization is normal
- Prefer fine-grained permissions in the model and aggregate permissions in the user interface
- Use attributes or templates to represent relationships
- Every resource lives in a container
- Separate the principals from the resource containers
- When possible, populate the policy scope
- Normalize input data prior to invoking the authorization APIs
- Don’t use the context field to hold information about the principal, action, and resource
- Implement meta-permissions as policies
- Avoid mutable identifiers in policies
- Use role-based access control as part of your authorization strategy
- Consider other reasons to query authorization
- Define and use naming conventions
Map actions to the business domain
When designing your authorization model, the actions you define should be business actions, not API actions. POST and GET should not be defined as actions, instead focus on actions your users perform. For example, a support technician may perform the CreateSupportCase, ListSupportCase, and ViewSupportCase actions.
Model all permissions in Cedar
Before you started using Cedar you may have used a permissions table in your database that linked principal IDs to resource IDs. When moving to Cedar it’s best practice to move all your permissions determination logic to Cedar policies. If you have a permissions table, each row of that table would become a separate Cedar policy.
Take advantage of user groups
When creating your authorization model there might have been multiple user types created, such as Admin, CustomerSupportTech, FinanceUser, etc. In Cedar, we recommend only creating one user type, such as User, and creating Groups that map to the different kinds of users you have and control their permissions at the group level.