Skip to main content

Use Cases

Proper application authorization & access control are typically mission-critical for all types of purpose-built software in industries and verticals such as finance (fintech), healthcare, data & analytics (including machine learning & AI), operations, and internal apps.

Regardless of the industry or vertical, there are common patterns and use cases we've observed that applications regularly use. Here are a few of those use cases:

Role based access control (RBAC)

Basic RBAC

One of the most common forms of access control, role based access control (RBAC) involves 3 main entities: roles, permissions and users/subjects. Permissions define 'behavior' that can be grouped into roles (ex. 'admin', 'owner') and assigned to users/subjects. RBAC is common within B2B software and SaaS applications used by enterprises and is often required to abide by compliance, contractual and regulatory requirements.

Warrant supports RBAC out-of-the-box. Follow this quickstart to implement RBAC within your application.

Multi-tenant RBAC (custom roles & permissions)

Most applications that implement RBAC usually start with a static set of roles and permissions. This works well for relatively simple applications used by one customer (single-tenant). However, this model often breaks down within multi-tenant applications (apps used by multiple customers). Different customers of a multi-tenant application (ex. multi-tenant SaaS) might require different roles and permissions. This introduces a new dimension (tenant) on top of the existing roles, permissions and users and requires a flexible access model to prevent a concept known as 'role explosion'.

Fine-grained access control (FGAC)

Fine-grained access control (FGAC) is a more granular form of access control that is becoming more popular in apps today. In comparison to more coarse-grained access control like RBAC which grants access based on 'behaviors', FGAC allows for more granular access control that can be defined at an object or resource-level.

For example, while a RBAC policy might specify that [admins] can [edit] [reports], a fine-grained policy can specify that [user:1] can [edit] [report:xsd34].

Content sharing

One of the most common use cases for FGAC is to enable access control on user-generated content, similar to Google Docs or Box. With FGAC, you can easily define owners, editors and viewers of your own resources and objects (ex. documents, reports).

'Fine-grained' RBAC

FGAC can also be used in conjunction with RBAC to enable what we call 'fine-grained RBAC'. This is especially common in SaaS apps and developer tools. For example, let's take a cloud infrastructure multi-tenant SaaS that defines a resource called customer-application. A 'customer-application' can have owners, editors and viewers. Now let's say that the users within this SaaS can have multiple 'roles' within their 'tenant' based on their access level. In order to specify an access rule like all [admins] of [tenant:x] can [edit] [all applications] that belong to [tenant:x], we need 'fine-grained RBAC', or the ability to specify resource-level rules by role.

Organization hierarchies

Another common use case for FGAC is to model complex organization hierarchies, often those found within most mid-large scale enterprises. For example, let's say that we'd like to specify a rule within an organization which states that all [members] of [team:x] can access [report:y87dXfd]. Furthermore, let's say that membership in team:x is driven by org hierarchy and whether a specific person reports to a given manager.

Using an FGAC system such as Warrant, we can model the exact org hierarchy as well as easily define rules such as all [direct reports] of [manager:y] are [members] of [team:x] and all [members] of [team:x] can access [report:y87dXfd] in order to process queries such as can [user:1] access [report:y87dXfd] in realtime.

Regional access control

Similar to enterprise org hierarchies, apps with complex regional hierarchies are a good use case for FGAC. For example, let's say we're building a supply-chain or operations-focused SaaS app where data and functionality is separated by region. We may have region:east and region:west to distinguish the two core regions with teams and users defined within each region.

Using an FGAC system such as Warrant, we can accurately model the regions and easily make queries against it at runtime to ensure that the right users have access to the right data and functionality.

Self-service (or delegated) access control

After introducing RBAC or another access control scheme within a SaaS, one of the most common requests that customers make is the ability to manage roles, permissions and rules themselves. We call this 'self-service access control'. Typically, this ability to manage the access control model is exposed to only a handful of trusted users directly within an admin UI (either built-in or linked from the core app).

Warrant supports self-service out-of-the-box. Follow this quickstart to implement it within your application.

Pricing tiers & features (entitlements)

Although not directly related to security, a common form of access control often used within SaaS is what we call 'pricing tiers & feature entitlements'. Pricing tiers are groups of features within an app, typically assigned based on the end customer's payment tier. Mature SaaS apps often build out their own management and enforcement layer for pricing tiers, in order to support everything from feature overrides and metering to integrations with payment systems.

With an FGAC system like Warrant, pricing tiers and feature entitlements can be expressed as rules like [company:x] is on [tier:enterprise] and [feature:dashboard] is part of [tier:enterprise] in order to easily support runtime queries like can [user:y] which is a member of [company:x] access [feature:dashboard]?