ADR_005 Component level authorization rules for access control
Date: 10/27
accepted
We have a few categories of users for the product: eaters, kitchen, delivery personnel, each with different sets of needs and usage for accessing the components and the associated data. We need some form of access control in terms of who can access what component and the associated data. This is an important part of the architecture to prevent unauthorized access of the confidential user/company data and boost privacy.
As part of our architecture, we have decided to use external identity provider for authentication (ADR-007) and the identity flows through our architecture with the request to the each component. Now, access control can be added to the architecture in a few ways:
- Component level authorization rules (simple, flexible, more secure)
- Keep authorization rules at the API gateway (less secure, faster)
- Maintain the authorization rules as a separate component (complex, higher cost of maintenance, granular control, highly customizable)
We have decided to keep the authorization rules local to each component, with each component deciding who is allowed to access it.
Given that we only have a few static categories of users, this provides adequate access control and security at the risk of some duplication within each component. This approach also provides added security at the each component level compared to API gateway.
We recognize that if the access control rules become more complex and requires more granular control, we might need to add a separate authorization component and shift to an expensive but customizable approach.