Emre Baran, co-founder and CEO of Cerbos, recently spoke at Collision 2023 in Toronto. During his talk, Emre discussed the necessity and challenges of implementing roles and permissions in business applications.
Drawing from his experiences at Google, CGI, and his own startups, he pointed out that developers often spend significant time building software infrastructure unrelated to their core business problems.
He identified roles and permissions as an area that still requires significant manual work. Baran outlined three common mistakes teams make: underestimating the complexity and resulting technical debt of implementing roles and permissions, assuming a minimal number of roles would suffice, and over-relying on off-the-shelf libraries without considering the additional infrastructure needed.
Cerbos aims to address this problem by offering an open source solution that allows developers to implement roles and permissions robustly and securely, freeing up time for teams to focus on business priorities.
Watch the full video and read the transcript of Emre’s talk below.
"Hello everyone. Throughout my career at Google, CGI and three of my own startups, I worked with developer teams that spent countless months building software infrastructure that had nothing to do with the core business problem that we were solving. If you look at this board, you'll see a lot of technology that didn't exist 20 years ago.
We had to go and build our own key value stores. We had to go build password and database lookups, password rotations, infrastructure, firewalls and everything else. But today, we're lucky enough that developers can actually use these solutions and move on with their lives. However, when it comes to roles and permissions, this is a piece that we still build into every one of these business applications that we build.
Roles and permissions are needed when you have multiple users in different roles, working together to complete a workflow. If you wanna think about an example, think about your expense application. Somebody submits, somebody approves, somebody pays an expense. And yet, we still do not have a solution that actually easily enables us to implement these workflows.
I'll share with you three mistakes that I've made with my teams when we were trying to build these things. Number one was thinking, oh, we can do this. This is a very simple if then else statement, we can just implement it. It is correct. It starts very simple. However, as business requirements get more complex, this turns into a tech debt.
Second, thinking that, oh, we will only need a few roles. Heck, if you leave the world to developers, you'll only need a super user and a read only user. Nothing else. However, real life is much more complex than that. Think about a company that has 20,000 employees. Among those, 3,000 are managers, and those managers belong to 20 departments in 15 different countries. You cannot give the same level of permission to every single one of those managers. And this is not being enterprise ready.
Mistake number three is, oh, I'll take a library off the shelf and implement it. And it's never just that library. Every developer team that I worked with had to go and build software infrastructure around this library.
And again, building software infrastructure causes tech debts. Our team, we reinvented this wheel, this security, so many times. And every single time we had to go start from scratch. Although we had some transferable know-how from previous times, there's still a lot of knowledge that gets lost along the way. And in the world we live in, where there is GDPR and CCPA, not getting your security and permissions is a big risk.
At Cerbos, we enable developers to implement roles and permissions securely and in a robust manner. And best of all, we actually made this open source, so developers can actually implement it in minutes and move on with their lives.
And that caused us to be able to give at least a team of four, three months back on their roadmap. And more importantly, we were able to enable them to focus on their business priorities, business requirements, that they had to actually go and build rather than infrastructure. Thank you very much."
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.