Skip to content

Introduction

What is Authorization?

Authorization is the process of determining if an authenticated identity (user, device, application) has the ability to perform an action.

Actions performed by the identity are checked against policy with pre-defined rules which include data needed to evaluate the rule.

Example #1

To introduce a simple example, we can assume that we have a salary api. We have a rule that employees can read their own salary. This rule is pretty easy to evaluate as we don’t need any additional information other than the identity of the user to evaluate this rule.

Authorization Decision Example

Business Rules:

  • Product: Human Resources
  • Service: Salary API
  • Rule: Employees can read their own salary.

Input Data:

  • Authenticated Identity

Psuedocode:

input user == salary resource subject

Example #2

Unfortunately though, most of authorization rules around aren’t as simple as Example #1. If we assume that Managers can see salary for direct reports, we now need additional data and multiple rules to evaluate the policy.

Business Rules:

  • Product: Human Resources
  • Service: Salary API
  • Rule: Employees can read their own salary AND Managers can see salary for direct reports.

Input Data:

  • Authenticated Identity
  • Manager Direct Reports

Psuedocode:

input user == salary resource subject || input user -> direct reports contains salary resource subject

Summary

Authorization decisions even in the most simplest cases have input, rules, and data.

Authorization Input Output