Cedar best practices
The best practices included here outline the most up-to-date recommendations to get the most out of using Cedar as your authorization engine.
Best practices
- Define and use naming conventions
- Identify your authorization patterns
- Map actions to the business domain
- Model all permissions in Cedar
- Populate the policy scope
- Take advantage of user groups
- Compound authorization is normal
- Prefer fine-grained permissions in the model and aggregate permissions in the user interface
- Use attributes or templates to represent relationships
- Every resource lives in a container
- Separate the principals from the resource containers
- Normalize input data prior to invoking the authorization APIs
- Don’t use the context field to hold information about the principal, action, and resource
- Implement meta-permissions as policies
- Avoid mutable identifiers in policies
- Use role-based access control as part of your authorization strategy
- Consider other reasons to query authorization