4 Authorization: What can you do?

This chapter covers

A look at why authentication isn’t enough—and why authorization deserves focused attention
The PARC model for breaking down access decisions
Core terminology that underpins modern authorization systems, from roles and attributes to policies and entitlements
A tour of the authorization reference architecture and how its components work together
Real-world deployment patterns for enforcing and evaluating policies in centralized and distributed systems

In 2023, the U.S. Federal Trade Commission (FTC) filed a complaint against Ring, the popular home security company owned by Amazon. The allegations were startling: employees and third-party contractors had unrestricted access to customers’ private video feeds—sometimes without their knowledge or consent. In a particularly egregious case, one employee viewed thousands of videos of female customers in their bedrooms and bathrooms over several months before being discovered.

What went wrong? From a traditional access control standpoint, the individuals involved were all authenticated. They had usernames and passwords. They were Ring employees or authorized contractors. The system knew who they were.

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary