Authorization Patterns

The Architecture of Permission

Authorization is the security mechanism that determines what actions authenticated users are permitted to perform and which resources they can access. While authentication answers “who are you?”, authorization determines the specific boundaries of their access—answering the critical question: “What are you allowed to do?”

AUTHZ

Access Control

Core Mission

Enforcement of Least Privilege. Ensuring that every identity has the minimum level of access required to perform their function, and no more.

Like Building Security: Your badge gets you into the lobby (Authentication). Your clearance determines which floors you can visit (RBAC), and specific project membership determines which secure rooms you can enter (ABAC).

Resource Protection / Data Privacy / Compliance

The Authorization Landscape

Choosing the right authorization model is a strategic decision that affects the scalability and maintainability of your security infrastructure.

Primary Authorization Models

Model	Logic Basis	Best For	Complexity
RBAC (Role-Based)	Group Membership	Coarse-grained organizational access.	Low
ABAC (Attribute-Based)	User/Resource Traits	Fine-grained, dynamic business rules.	High
PBAC (Policy-Based)	Declarative Policies	Centralized, audit-heavy ecosystems.	Medium
ReBAC (Relationship)	Graph-based Links	Social networks / Complex hierarchies.	High

Strategic Decision Matrix

Use the following criteria to select the most appropriate authorization pattern for your architecture.

Requirement	Recommended Model	Key Driver
Simple Org Hierarchy	RBAC	Stable roles (Admin, Editor, Viewer).
Contextual Access	ABAC	Decisions based on IP, Time, or Risk.
Distributed Systems	PBAC / OPA	Centralized policy enforcement (Rego/Cedar).
Deep Object Ownership	ReBAC	Permissions inherited via relationships.

---

Detailed Authorization Pattern Guides

Master the implementation of granular access control across your applications and APIs.

Role-Based Access (RBAC)

Designing stable role hierarchies and permission mappings.

Attribute-Based (ABAC)

Creating dynamic policies based on user and resource traits.

Policy Engines (OPA)

Externalizing authorization logic using OPA and Rego.

API Authorization

Securing REST and GraphQL endpoints with OAuth 2.0 scopes.

Resource-Level Auth

Implementing object-level security and hierarchical permissions.

Next Steps

• Explore Google’s Zanzibar for world-scale relationship-based access.
• Review Security Best Practices to prevent broken access control.
• Check Zero Trust Models for least-privilege enforcement.