04 Auth
4.5 Summary
When it comes to setting up auth around your components, we can consider two types of approaches: System-level Auth and Application-level Auth.
System-level Auth leverages the Radix Engine to perform validation of proofs sent to the AuthZone and ensures that a role's AccessRule is satisfied. For example, say we've set auth for component to have an "admin" role which has a set of permissions, to access the "admin" role, a proof of an admin badge is required. A user claiming to be the admin will require to send a proof of the admin badge to the AuthZone where the Radix Engine performs the validation against the admin role's AccessRule. When satisfied, the user is now granted access to the admin role and its permissions. The heavy lifting of the validation is done by the Radix Engine.
Application-level Auth approach simply means there are customized validation done at the component level. This means you may have specific validations you've written up yourself for the component to validate that the Radix Engine cannot perform. Doing so will require the proof to be directly sent to the component instead of the AuthZone where the proof is inspected and validated by your custom validation logic within the component.
Either approach can be valid, however, because of the guarantees the Radix Engine offers, system-level approach is preferred and application-level auth should only be used where some validation requirements can't be fulfilled by the Radix Engine.
System-level Auth leverages the Radix Engine to perform validation of proofs sent to the AuthZone and ensures that a role's AccessRule is satisfied. For example, say we've set auth for component to have an "admin" role which has a set of permissions, to access the "admin" role, a proof of an admin badge is required. A user claiming to be the admin will require to send a proof of the admin badge to the AuthZone where the Radix Engine performs the validation against the admin role's AccessRule. When satisfied, the user is now granted access to the admin role and its permissions. The heavy lifting of the validation is done by the Radix Engine.
Application-level Auth approach simply means there are customized validation done at the component level. This means you may have specific validations you've written up yourself for the component to validate that the Radix Engine cannot perform. Doing so will require the proof to be directly sent to the component instead of the AuthZone where the proof is inspected and validated by your custom validation logic within the component.
Either approach can be valid, however, because of the guarantees the Radix Engine offers, system-level approach is preferred and application-level auth should only be used where some validation requirements can't be fulfilled by the Radix Engine.