Relying solely on native tools to manage the complex web of user permissions in modern applications can become a massive headache. In a recent DevCast episode, Charles Delfs, of Delfs Engineering, discussed HAM (Headless Authorization Module).
HAM is a conceptual shift in how developers handle security. Rather than burying logic deep within FileMaker’s internal menus, HAM abstracts authorization into a flexible, data-driven system that separates who a user is (authentication) from what they are permitted to do (authorization).
Key considerations and features
- Headless architecture: HAM is “headless” because it has no attached UI, allowing it to remain unopinionated and highly flexible for any scenario.
- JSON-based logic: permissions are represented as JSON objects, making the “source of truth” easy to read, manage, and export to external systems.
- Role inheritance: higher-level roles can automatically inherit the privileges of lower-level roles, such as an Admin inheriting all permissions from a Manager.
- Individual overrides: developers can grant specific, temporary exceptions to a single user (e.g., access to a report for one week) without needing to create an entirely new security group.
- Platform agnostic: because the final privileges are distilled into a flat JSON object, they can be pushed to third-party web apps or APIs, ensuring consistent security across the entire stack.
The core mechanics
At its core, HAM is a lightweight set of three custom functions designed to help ease the complexities of administration. Traditional methods, like record-level access formulas, are often difficult to track and harder to update as an app grows. By centralizing these rules into a preferences field or table, HAM allows for “feature flagging.” A developer can deploy a new feature into production but keep it hidden and toggle it on only for specific alpha testers or subscription tiers without changing a single line of code.
The HAM module is particularly adept at handling complex business rules through its inheritance model. When a user logs in, HAM assembles a flat “truth table” based on the user’s roles and any specific overrides. It follows a “last-one-wins” approach; if a user is both a “Remote Worker” and a “Manager,” the system merges their permissions, ensuring the most specific rules take precedence. This approach enables hyper-flexible scenarios, such as a SaaS product where users can purchase “add-on packs” that are automatically summed up by the authorization engine.
Moving forward
HAM is a free, open-source module that offers a simple way to modernize security. For those managing legacy systems, Charles suggested keeping existing security in place and using the module for new, complex requests. HAM is a straight-forward way to trade hard-coded, messy scripts for a clean, manageable data architecture.
This piece represents a collaboration between the human authors and AI technologies, which assisted in both drafting and refinement. The authors maintain full responsibility for the final content.