# Actors & Authorization Authorization in Ash involves three things: * actor - the entity (i.e user, organization, device) performing a given action * authorize? - a flag that tells Ash to run authorization. * authorizers - the extensions on a resource that can modify or forbid the action. ## Setting `actor` and `authorize?` All functions in Ash that may perform authorization and/or wish to use the actor accept an `actor` and an `authorize?` option. For example: Building a changeset/query/input is the best time to provide the actor option ```elixir Ash.Changeset.for_create(Post, %{title: "Post Title"}, actor: current_user, authorize?: true) ``` If calling a function without changeset/query/input, you can provide the `actor` option at that point. ```elixir Ash.count!(Post, actor: current_user, authorize?: true) ``` Functions created with the code interface also accept an `actor` option. ```elixir MyDomain.create_post!(Post, authorize?: true) ``` > ### Set the actor on the query/changeset/input {: .warning} > The hooks on a query/changeset/input to an action may need to know the actor, so you > need to set the actor when building them, not when calling the action. > ```elixir > # DO THIS > > Post > |> Ash.Query.for_read(:read, %{}, actor: current_user) > |> Ash.read!() > > # DON'T DO THIS > > Post > |> Ash.Query.for_read!(:read) > |> Ash.read!(actor: current_user) > ``` ## Default value of `authorize?` The default value of `authorize?` is determined by the `authorization` configuration of the relevant domain. By default, `authorize?` is set to `true` (and so can be ommitted in all of the examples above). If a resource has no authorizers, then all requests will be allowed. ## Authorizers Authorizers are in control of what happens during authorization. Generally, you won't need to create your own authorizer, as the builtin policy authorizer `Ash.Policy.Authorizer` works well for any use case. See the [Policies guide](documentation/topics/security/policies.md) for more. ## Domain Authorization Configuration ### `d:Ash.Domain.Dsl.authorization|require_actor?` Requires that an actor is set for all requests. Important: `nil` is still a valid actor, so this won't prevent providing `actor: nil`. It only requires that the option itself is provided. ### `d:Ash.Domain.Dsl.authorization|authorize` When to run authorization for a given request. - `:by_default` sets `authorize?: true` if the `authorize?` option was not set (so it can be set to `false`). This is the default. - `:always` forces `authorize?: true` on all requests to the domain. - `:when_requested` sets `authorize?: true` whenever an actor is set or `authorize?: true` is explicitly passed. This is the default behavior.