45 Questions to Ask Yourself Before Modeling Authorization

Authorization is part of every modern application, ensuring users can only access the resources they are permitted to. While this might sound rather straightforward, considering how complex modern applications are, ensuring the right people get the right access to the right places is far from easy.

Before you start building, whether you are planning to build your own solution from scratch or use an existing authorization as a service solution, there are some crucial questions you must ask yourself when planning your implementation.

We see these questions being asked repeatedly on Reddit, StackOverflow, and in our own community dedicated to helping people build authorization systems. In order to make sure you have everything covered, we gathered them together in one place.

It doesn't matter whether you're upgrading an existing authorization system (From monolith to microservices-based, for example) or creating an authorization for a new application from scratch - these are the most critical questions you should ask yourself before modeling your authorization implementation.

1. Scope and Granularity (RBAC, ABAC, ReBAC):

• What types of resources do you need to secure in your application (e.g., data, functions, services, APIs)?
• Do your applications utilize resource hierarchies, organizational hierarchies, or ownership models? Are you able to easily model those (recursively) into your policies?

If you have an existing implementation -

• How granular are the current permissions? Do you support role, attribute, or context-based access control?
• Does your authorization layer support multi-tenancy as a first-class citizen?

The first step in designing an authorization layer is determining the resources to which you need to manage access. Each type of resource and its place in the overall structure of your application might require you to utilize a different type of authorization model (RBAC, ABAC, ReBAC, or a combination of them).

It is important that you familiarize yourself with the available policy models out there, their pros and cons, and try to assess which ones are the best fit for your application.

2. Policy Authoring: Involving Other Stakeholders

• Are non-technical stakeholders (e.g. Product, Security, Compliance, Sales, Support) able to participate in policy authoring? Should they? If so, to what extent?
• Are end-customers able to customize their policies within your system (e.g. dynamically create roles, assign permissions, define hierarchies)?
• Are you able to utilize policy as code as part of your authorization layer?
• Are you able to utilize Infrastructure as code to define these policies?
• How quickly can you deliver new policies to production? Seconds? Hours?

Authorization policies should be flexible and accessible while remaining secure. It is common for various stakeholders (Product, Security, Compliance, Sales, Support etc.) to require a certain level of access to your authorization layer, being able to author and edit policies, and having these policies take immediate effect in the system.

Facilitating this need can’t come as an afterthought to building your authorization layer, and should be considered from day one. Utilizing Policy-as-code for this endeavor facilitates automation and integration into CI/CD pipelines, enabling faster deployment and iteration of policies while keeping all the best practices of code deployment in place.

The Permit.io UI allows you to define policy via a UI that generates policy as code for you in your language of choice.

3. User and Data Management:

• How do you manage the synchronization of user identities and attributes across systems?
• Can you consume external data sources to aid in the authorization decision process without creating dependencies (To systems that aren’t highly available, highly performant / low latency)?
• What mechanisms manage user roles and hierarchies?
• Is there a method of loading dynamic data (e.g. geo-location, quotes, billing) into the authorization system in place?

Effective user and data management ensures the authorization system is both accurate and responsive. Handling dynamic data efficiently can enhance the system's adaptability and responsiveness to real-time changes.

This can be achieved by using tools like Open Policy Administration Layer (OPAL), which helps keep your authorization layer updated in real-time with data and policy updates. This OSS includes two important features:

• OPAL allows tracking a specific policy repository (like GitHub, GitLab, or Bitbucket) for updates. It does this by either using a webhook or checking for changes every few seconds. This makes the system act as a Policy Administration Point (PAP), which sends the policy changes to your policy engine, ensuring it is always up to date.
• The ability to track any relevant data source (API, Database, external service) for updates via a REST API, and fetch up-to-date data back into your policy engine. Using these capabilities allows you to take advantage of the full benefits of policy languages by keeping your policy engines up to date with all the relevant policies and data in real-time.

4. Policy Management:

• How are authorization policies managed and defined within your system?
• Can policies react dynamically to contextual changes at runtime?
• Is there a single source of truth for your policies?
• How are policies tested, reviewed, and benchmarked? Can this be done as part of their authoring process?
• Are you able to unify policies across different surfaces (gateways, proxies, middleware, code, DBs)?

A centralized management system helps maintain consistency and integrity of policies across all platforms. Dynamic policies that adapt to real-time data ensure that access control is always relevant and secure. Centralization of your policy decisions can be achieved by using Policy Engines such as Open Policy Agent vs AWS Cedar. It is important to choose the policy engine and policy language that best suits your needs.

5. Auditing and Compliance: Tracking and Simplification

• How do you track and log access decisions?
• Can you aggregate and search audit logs effectively?
• Are you able to track decision paths for audit logs?
• Is your audit log aggregation retaining logs in a way that matches your policy requirements?
• Does your system simplify compliance with standards like HIPAA, GDPR, and PCI?
• Are there tools in place to analyze access patterns and detect anomalies on top of audit logs?

Quality logging and auditing capabilities are essential for compliance and security. They help track access patterns and detect anomalies, ensuring that your application meets regulatory standards and effectively manages risk.

6. Integration and Scalability: Preparing for Growth

• How does your authorization system integrate with other infrastructure components?
• Is the system scalable to meet the growth of your application?
• What is the impact of changing your policy model (RBAC to ABAC, for example) on your engineering resources?
• Do you practice decoupling of policy and code?

A well-integrated system reduces maintenance overhead and avoids bottlenecks as your application scales. Consider the long-term impact of potential system changes to ensure sustainability.

7. Performance and Reliability: Ensuring High Availability

• What impact does the authorization system have on application performance?
• What percentage of this impact is due to latency to the authorization service or dependent data sources?
• How do you ensure the service’s reliability and availability?
• Is the information stored in your JWTs limited to identity-bound data points?

Minimizing latency and maximizing reliability are critical for maintaining user satisfaction and trust. Efficient performance management ensures that security measures do not impede the application’s responsiveness.

8. Security and Risk Management: Safeguarding Access

• What security measures protect your authorization data?
• How do you manage breach detection and response to unauthorized access?
• Are there access controls and logs for changes to access management?
• Do you have audit logs on who can change your access control?
• Is the lifespan of your JWTs less than a minute? Or at least less than 10 minutes?

Having an authorization layer that monitors access to the app’s authorization layer is crucial. It prevents unauthorized changes from being made to the authorization layer and ensures that any potential breaches are quickly identified and addressed.

9. Technology and Tooling: Leveraging the Best Tools

• What external libraries, frameworks, or services are you using for authorization?
• What are the current tools and solutions for authentication? Are you able to leverage all your authentication and identity claims in your authorization layer with ease? Are you easily able to support attributes coming from external identity providers?
• What are the limitations of your current tooling?

Choosing the right technology stack for authorization and authentication can greatly affect both the system's effectiveness and the developer's ease of implementation. Understanding the limitations of current tools can guide future improvements and integrations.

10. Future-Proofing: Staying Ahead with Continuous Improvement

• How do you ensure your authorization system remains up-to-date with the latest security practices?
• Are you able to quickly adapt your authorization strategies to accommodate new technologies and changing regulatory requirements?
• What processes do you have in place for continuous assessment and improvement of your authorization system?

The IAM landscape, as well as the potential security risks involved are constantly changing. This means we must keep our system current and adaptable. Implementing a process for ongoing assessment and improvement can help address emerging security challenges and incorporate advancements in technology. Regular updates, guided by the latest security research and compliance demands, ensure that your system not only meets current standards but is also prepared for future requirements. This approach reduces vulnerabilities and ensures that your authorization system evolves in step with both technological innovations and changes in the regulatory environment.

Conclusion

Building and managing an effective authorization system requires a thoughtful approach that balances security, usability, and performance. By considering these detailed questions, you can ensure your authorization system is strong, compliant, and ready for the challenges of modern application development.