Quiz Entry - updated: 2026.07.14
What are the design best practices for access control?
Four design principles: closed policy (deny by default), a documented role × resource matrix, unpredictable IDs, and ownership enforcement on every query.
| Principle | What it means | Why it matters |
|---|---|---|
| Closed Policy | Deny by default, explicitly grant. Fail securely (deny on error). | Unknown requests are blocked, not allowed |
| Access Control Policy | Document all roles × resources in a matrix. Review regularly. | Ensures no gaps — every combination is considered |
| Unpredictable IDs | UUIDs (/users/a1b2c3d4...) instead of sequential integers (/users/123) |
Prevents enumeration — can't just increment to find others |
| Ownership Enforcement | Always verify: WHERE user_id = ? in every query |
Even with correct auth, users should only see their own data |