CanCan is an authorization gem written by Ryan Bates which allows you to easily customize your authorization to your needs.
Look at the CanCan Wiki for instructions on how to get CanCan installed, this guide is only going to focus on how to use the Adauth::UserModel to create your Ability class. Adauth allows you access the groups which the user is a member of, this means that you can use the users windows security groups in CanCan.
I like to add the is? method to my user model so that I can quickly perform logical tests in my ability class. This method looks like this:
def is?(role) groups.split(",").include?(role.to_s) end
This method assumes you are using the user model created by the Adauth generators.
With the above method defined is then becomes very easy to use CanCan
class Ability def initialize(user) if user.is?("Domain Admins") can :manage, :all elsif user.is?("Finance") can :manage, Invoice elsif user.is?("Postman") can :read, Invoice end can :read, :pages end end
This ability class would give everyone logging in the ability to read pages, members of the Postman group permission to read invoices, member of Finance permission to add/edit invoices and members of Domain Admins permission to add/edit any model in the application.
The ability class is very flexible and doesn't have to be a big if statement, but for very basic authorization this is all you need. Head over to the CanCan Wiki for more detialed instructions on how to configure your rules.