Authorization & Role-based Access Control (RBAC)

Pricing plans mostly mix features gating (you need to be on a higher plan to use certain features) and a usage-based motion (pay as much as you consume). 

With Lago you can implement billing for any pricing grids, however, you still need to take care of ‘authorization’ within your product. In other words, you need to allow some users to use specific features or access some infos, and prevent other ones to do so. 

This topic isn’t covered directly by Lago, however here are some useful resources to nail in the best way. 

How is authorization different from authentication?

Authentication is the mechanism for verifying who a user is. Authorization is the mechanism of controlling what the user can do. Both are often linked, but these are different concepts. Oso has done a great job explaining it here.

Why can it be a complex topic?

Authorization systems are a living organism (it changes when your pricing grid evolves or when new features are added) and impact different stakeholders: engineers, product managers, marketing and sales teams, and the end-users. 

Although it might initially seem simple, the corner cases, the evolution of the system, and the security challenges can rapidly lead to a technical and business debt. 

 Oso CTO explained why it’s hard here, and Warrant has mapped the surface area of this topic here.

How can I make my life easier with Authorization?

We identified services that have productized best practices. Choosing one depends on your specific needs, and ping us if we can help. Here are our notes:

Oso

Oso has an open-source approach, you can get a taste of their lib here. Their cloud product is currently in private beta. They defined their own declarative policy language built for application authorization, called Polar. We highly recommend their Authorization academy, the clearest way to articulate a complex problem space.

Warrant

Warrant offers a set of APIs for authorization and access control. It is a fully managed service for mobile and desktop applications. They even offer a self-service dashboard: a warrant hosted page where your end-users can manage their authorizations by themselves.

Permit.io

Permit.io is a fully managed SaaS built on top of the open source project Opal (Permit and Opal were built by the same team). We found their set of best practices super relevant, if you’re new to the ‘authorization topic’.

Which solution can you use with Lago?

Lago is an open-source, API-first application, and its architecture is open, by design. So you can use any of these tools (and all the other ones we have not covered yet) with Lago, using our endpoints and webhooks. 

We’ll also continuously work on creating native integrations with the most demanded third-party applications.