SpiceDB is 100% open source. Please help us by starring our GitHub repo. ↗
SpiceDB Documentation
Getting Started
Coming From
Ruby on Rails

SpiceDB for Ruby on Rails CanCanCan users

This document is designed to cover the conceptual differences between SpiceDB and the popular Ruby on Rails gem CanCanCan.

ℹ️

The focus of the content below is not intended to be a competitive anlaysis, but rather a bridge to understand SpiceDB for existing Rails users.

SpiceDB vs CanCanCan

Every complete permissions system is made up of three major components: models, data, and an engine.

While comparing SpiceDB and CanCanCan is akin to comparing apples and oranges because they are fundamentally two different approaches, both can analyzed through the lens of these three components to understand the design of each.

A quick recap on the components and their purpose:

  • Models define the logic and rules governing actions in the system.
  • Data provides the context for action itself (who's doing it, the object of the action, and more)
  • An engine interprets models and data in order to make an access control decision
modelsenginedata

CanCanCan is a library (gem) designed to help model authorization in Ruby on Rails projects. The fundamental idea behind most authorization libraries is that access control can be modeled by reusing as much as possible from within your existing web framework. For cancancan, developers defines their models from within an Ability class. Engine logic is implemented within the library such that developers can simply load the Ability class within their Controller classes to enforce their models. Data outside of the request context is left open ended, but most often is fetched from the primary database using ActiveRecord.

CanCanCanload andauthorize resource()database?RailsAbilities( models )Controller( engine )

SpiceDB is a class of technology called a database. The fundamental idea behind databases is that they store and index data efficiently so that it can be effectively queried. While many databases are general-purpose, SpiceDB is optimized specifically for storing and querying authorization data. SpiceDB provides all three components of a permissions systems: schema provides the models, the data is stored within the database itself, and the query engine interprets the two in order to make access control decisions.

relationshipsschemagraphSpiceDBapps microservicesware-house( models )( data )( engine )

When to use SpiceDB instead of Cancancan

SpiceDB provides a centralized system and, while doing so, enforces opinions about how authorization should be done. Adopting SpiceDB can be a powerful tool for enabling a shift towards centralizing authorization into one service that can be operated by a specialized team. This design is a perfect fit for when there are multiple software services in an organization that needs to share data in order to secure access to their resources.

When to use Cancancan instead of SpiceDB

Cancancan, and authorization libraries in general, excels when a monolithic or modular monolith architecture is the best fit for your software stack. For example, there are framework utilities and reusable app libraries that your authorization models can leverage.

Open Policy AgentProtecting a Blog Application
© 2024 AuthZed.