LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the design best practices for access control?

Four design principles: closed policy (deny by default), a documented role × resource matrix, unpredictable IDs, and ownership enforcement on every query.

Principle What it means Why it matters
Closed Policy Deny by default, explicitly grant. Fail securely (deny on error). Unknown requests are blocked, not allowed
Access Control Policy Document all roles × resources in a matrix. Review regularly. Ensures no gaps — every combination is considered
Unpredictable IDs UUIDs (/users/a1b2c3d4...) instead of sequential integers (/users/123) Prevents enumeration — can't just increment to find others
Ownership Enforcement Always verify: WHERE user_id = ? in every query Even with correct auth, users should only see their own data

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026