When securing a database there are two main things you need – authentication (knowing who is trying to access the database) and authorization (knowing they have the necessary permissions). Firebase provides support for both, but it’s not immediately obvious how to implement robust authorization using the available tools. This talk will introduce two standard authorization models, ACL (Access Control List) and RBAC (Role-Based Access Control), and show how to implement these in both Realtime Database and Cloud Firestore using security rules. Not only will you learn how to enforce these rules, but also how to use Cloud Functions to manage the rules securely.