17 Taming authorization: RBAC, ABAC, and ReBAC
This chapter covers
- Comparing RBAC, ABAC, and ReBAC
- Identifying when a system needs more than roles to make access decisions
- Designing authorization layers that scale
You’ ve locked the front door. Great! But now comes the real question: who gets to open the fridge?
Welcome to the wild world of authorization, the part of security that decides not just who you are but also what you’re allowed to do. Most systems today aren’t just one app or one database; they’re a sprawling jungle of services, APIs, functions, dashboards, admin panels, and probably three forgotten Lambda functions you deployed last year and can’t find now. Each of these services has to decide the following:
- Should I allow this request?
- Can this user see this document?
- Should I trust this service call?
Authorization models answer those questions. In this chapter, we walk through authorization models with real-world examples, explain where they shine and break, and look at how authorization plays out in monoliths, microservices, and clouds. We discuss how companies enforce who can do what, as well as the tools and patterns that keep the logic sane.
17.1 Core authorization models
Before we start throwing around tokens, graphs, and policy engines, let’s ask a simple question: how do systems decide who’s allowed to do what? This section explores the three main strategies used to answer that question (figure 17.1):