Turning Secure Access Into Child’s Play with Permit Access Request APIs

Written and edited by Maya Barak and Daniel Bass

⁠When we build an application, some parts will be accessible to users, while others will be restricted. That’s a given. But building this kind of capability has its fair share of complexions - especially when these limitations aren’t static but change with the circumstances. As I’ll show you in this blog, enabling user access requests can be as simple as a children's story.

Let’s get into it -

The Challenge

Creating strict rules that allow certain users access to certain parts of the app isn’t a big issue - but that’s rarely enough for practically any modern application. In most cases, circumstances and user requirements constantly change over time. This gives us two options:

Either manually make changes to your authorization layer every time or create an automated system (An Access Request API) that allows users to request access and allows administrators to grant them access based on certain conditions. Let’s look at the manual option -

Say a user wants access to a certain part of the application which can only be approved by a specific type of admin. This means that you will have to create a system which:

1. Associates the specific application segment to the relevant admin, and has their contact information.
2. Allows the user to send an access request email/message requesting access. This will probably require the integration of some third-party tool.
3. Once the request is sent, the user will need to wait for the administrator's approval, which might take time. While not directly your problem, this will create a UX issue that you’ll probably be expected to solve at some point.
4. If the administrator approves the access request - there’s still the task of changing the actual authorization rule that enforces the access. This is, again, a problematic bottleneck that might require a different solution, especially as things scale.
5. Once the appropriate changes to the authorization layer have been made, you’ll have to inform the administrator, who will need to inform the user.

This process will be required for any new access request.

As you can quite easily see, building this system and having you make manual changes to the code every time a user needs access to a new portion of the application (Say, if a user paid and should now have access to premium features) is obviously highly impractical. So let’s talk about creating an Access Request API that does this automatically.

What is an Access Request API?

An Access-Request API serves as a centralized mechanism for handling access requests within the application environment, streamlining the process by allowing users to directly request access to specific features or data sets from within the application, eliminating the need to do so manually.

The benefits of using an Access Request API

Using an Access Request API provides the following benefits:

• It allows users to request access directly within the application without you having to set up 3rd party channels like emails/DMs. This doesn’t only make the process more comfortable for the user, but, more importantly - it makes it manageable.
• With access requests all managed in one place, it becomes far easier to maintain a comprehensive history of requests, serving as documentation for access granted within the application.
• Additionally, it allows multiple individuals to approve or deny access according to the rules you define. This reduces both waiting times for access requests and enables efficient management of your admin team.
• Having multiple admins also allows you to follow which requests have been approved or denied and why.
• Sometimes you might need to grant someone access to a role within a specific time limit. having a well-organized access control API helps you manage who, and more importantly, for how long, a user has access to a resource within your app.

How to implement an Access Control API?

You can build an access control API yourself as long as you follow some important best practices for building authorization. Another option is to use the Permit.io Access Control API, which generates access requests tailored to specific roles or resource instances and can be integrated into your app pretty quickly. It also allows you to assign suitable moderators who can evaluate and make decisions on user requests, helping make sure access is granted or denied in accordance with your specifications.

We also plan to release an Access Request Element, one of a few UI components we provide that allows you to safely delegate access control to your end users.

What does an Access Control API implementation look like?

To demonstrate how Access Control APIs work with Permit.io, let’s look at it through the simplest example possible - Goldilocks and the Three Bears. Imagine if the three bears had an application that used the Permit Access Request API - that story would look completely different:

In the forest, hidden among the trees, stood the cozy cottage of the three bears. In it, three rooms, three beds, and three bears: Papa Bear, Mama Bear, and Little Baby Bear.

In his shrewdness, Papa Bear decided to implement Permit’s Access Control API to track and manage access in their home.

One day, the three bears were away, while a little girl with locks of gold, stumbled upon their home. Goldilocks was her name, and hungry she was. Lured by the scent of tasty porridge, and lack of authentication, she made her way in. Famished, Goldilocks spotted a sign on the wall. It read: “Access Restricted”. So she submitted an access request.

Papa Bear, deep in the forest, received a surprising access request. All the bears are here, yet some user named Goldilocks123 wants to eat their delicious porridge! Knowing Mama Bear’s hospitality well, he hastily approved the request and continued with his morning hike.

After savoring the porridge, Goldilocks grew sleepy. Before settling into one of the beds for a nap, she requested permission for her impromptu rest. Recognizing her adventurous spirit, Papa bear granted her request and offered a playful warning: "This is the last time, young lady!"

*When the three bears returned to their home, they found Goldilocks there. She thanked the three bears, and swiftly left the cottage. As Goldilocks departed, Papa Bear chuckled: ***“There’s nothing like properly implemented access control”.**

The moral of the story

So what did we learn?

Most modern applications require an authorization system that allows not only static restrictions on user access but also the ability to adapt to reality. Allowing your users to request access to certain parts of your app is not something you want to do manually, and there are many benefits of having this capability embedded in your app in the form of an Access Request API.

In this blog, we learned how to use Permit.io’s Access Request API to create a safer, more secure experience for both you and your users, handling access requests quickly and efficiently in both make-believe and real-life settings.