Fundamental Security Concepts

Authentication establishes who you are. Authorization determines what you can do. This distinction is fundamental: proving your identity is merely the first step. The second—and equally critical—step is determining which actions that identity may perform and which resources it may access.

Consider your experience with any enterprise system: You log in (authentication), but your experience differs vastly from your colleagues'. A developer sees code repositories and deployment pipelines. An accountant sees financial reports and invoices. A manager sees team performance metrics and approval queues. Same company, same login process, but completely different access—that's authorization at work.

Authorization is the enforcement mechanism of security policy. It translates organizational rules ("Employees see only their department's data") into technical controls (access control lists, role assignments, policy decisions). Get authorization wrong, and sensitive data leaks to unauthorized parties, privileged operations become available to attackers, and the entire security model collapses regardless of how robust authentication might be.

The Core Question

Authorization answers: "Is this subject allowed to perform this action on this object?"

Every authorization decision involves three key elements:

1. Subject — The entity requesting access (user, process, service, device)
2. Object — The resource being accessed (file, database record, API endpoint, network segment)
3. Action — The operation being attempted (read, write, delete, execute, approve)

The Authorization Decision Process

Authorization decisions flow through multiple stages:

[Subject] --- requests ---> [Action on Object]
                                   |
                                   v
                          [Policy Decision Point]
                                   |
                         +---------+---------+
                         |         |         |
                         v         v         v
                      [Allow]  [Deny]  [Conditional]

Policy Decision Point (PDP): The component that evaluates access requests against policy rules and returns a decision.

Policy Enforcement Point (PEP): The component that intercepts access requests, queries the PDP, and enforces the decision.

Policy Information Point (PIP): Sources of attribute information (user groups, resource classifications, environmental context) used in authorization decisions.

Access control models provide theoretical frameworks for organizing and enforcing authorization. Each model embodies different assumptions about who defines policy and how enforcement operates.

Discretionary Access Control (DAC)

In DAC, resource owners control access permissions at their discretion. The creator of a file decides who else may access it.

Characteristics:

• Object owners set permissions
• Permissions can be delegated to others
• Users have autonomy over their own resources
• No central policy authority enforces uniform rules

Implementation Examples:

• Unix file permissions (owner/group/other)
• Windows NTFS ACLs (Access Control Lists)
• Share settings in cloud storage (Google Drive, Dropbox)

Advantages:

• Flexible, supports diverse use cases
• Users manage their own resources
• Simple to understand conceptually

Disadvantages:

• No global policy enforcement
• Users may grant overly permissive access
• Difficult to ensure consistent security across systems
• Vulnerable to Trojan horse attacks (malicious programs inherit user's permissions)

Mandatory Access Control (MAC)

In MAC, a central authority defines access policy based on security classifications. Users cannot override these rules, regardless of object ownership.

Characteristics:

• System-enforced policies that users cannot change
• Security labels assigned to subjects and objects
• Access decisions based on label comparisons
• Primarily used in military and government systems

Security Models:

Bell-LaPadula (Confidentiality):

• "No read up, no write down"
• Subjects cannot read objects at higher classification
• Subjects cannot write to objects at lower classification (prevents information flow down)

Biba (Integrity):

• "No read down, no write up"
• Subjects cannot read objects at lower integrity
• Subjects cannot write to objects at higher integrity (prevents corruption flow up)

Implementation Examples:

• SELinux (Security-Enhanced Linux)
• AppArmor
• Windows Mandatory Integrity Control
• Classified government systems (Top Secret, Secret, Confidential)

Advantages:

• Strong, consistent security guarantees
• Users cannot accidentally or maliciously weaken security
• Clear information flow control

Disadvantages:

• Complex to administer
• Can be inflexible for business needs
• May impede legitimate work if policies are too restrictive

Role-Based Access Control (RBAC) bridges the gap between DAC flexibility and MAC structure. Permissions are assigned to roles, and users are assigned to roles. Users acquire permissions indirectly through their role memberships.

RBAC Core Concepts

Role: A collection of permissions that corresponds to a job function (e.g., "Developer," "Manager," "Auditor").

Permission: The ability to perform an action on a resource (e.g., "read:contracts," "deploy:production").

Role Assignment: Associating users with roles.

Role Hierarchy: Roles can inherit permissions from other roles (Senior Developer inherits from Developer).

RBAC0 - Basic RBAC

The foundational model with three components:

1. Users (subjects)
2. Roles (collections of permissions)
3. Permissions (action + object pairs)

User --> Role --> Permission --> Resource

Example:
Alice --> "Developer" --> ["read:code", "write:code", "run:tests"]
Bob --> "Manager" --> ["read:code", "read:reports", "approve:releases"]

RBAC1 - Role Hierarchies

Adds role inheritance: senior roles inherit permissions from junior roles.

         Senior Developer
               |
           Developer
           /       \
    Frontend Dev   Backend Dev

Senior Developer automatically has all permissions of Developer, which has permissions from both specialized roles.

RBAC2 - Constraints

Adds constraints that limit role assignments:

Static Separation of Duties (SSD): Mutually exclusive roles that cannot be assigned to the same user:

• User cannot have both Purchaser and Approver roles
• Prevents conflicts of interest

Dynamic Separation of Duties (DSD): Roles that cannot be activated simultaneously:

• User can have both roles but cannot use both in the same session
• Prevents self-dealing in single transactions

Cardinality Constraints:

• Maximum users per role (only 3 people can be Super Admin)
• Maximum roles per user (users can have at most 5 roles)

RBAC3 - Combined Model

Combines hierarchies (RBAC1) and constraints (RBAC2) for complete flexibility.

Attribute-Based Access Control (ABAC) provides the most flexible authorization model. Access decisions consider multiple attributes of subjects, objects, actions, and the environment—not just role membership.

ABAC Components

Subject Attributes: Properties of the requester

• Department, clearance level, job title
• Location, device type, authentication strength
• Group memberships, certifications

Object Attributes: Properties of the resource

• Classification level, data sensitivity
• Owner, creation date, location
• Document type, project association

Action Attributes: Properties of the requested operation

• Read, write, delete, approve
• Data volume, request frequency

Environment (Context) Attributes: Situational properties

• Current time, date
• Threat level, network location
• Request origin, device security posture

ABAC Policy Example

Policy: "Doctors can view patient records during working hours from hospital devices, but only for patients they are treating."

policy ViewPatientRecords {
  subject.role == "doctor" AND
  object.type == "patient_record" AND
  subject.treatmentRelationship CONTAINS object.patientId AND
  environment.timeOfDay BETWEEN "07:00" AND "19:00" AND
  environment.deviceLocation == "hospital_network"
}

This policy references:

• Subject attribute: role, treatmentRelationship
• Object attribute: type, patientId
• Environment attribute: timeOfDay, deviceLocation

XACML: ABAC Standard

eXtensible Access Control Markup Language (XACML) is the OASIS standard for ABAC policy specification and evaluation.

XACML Architecture:

• Policy Administration Point (PAP): Where policies are authored and managed
• Policy Decision Point (PDP): Evaluates access requests against policies, returns decisions
• Policy Enforcement Point (PEP): Intercepts requests, queries PDP, enforces decisions
• Policy Information Point (PIP): Provides attribute values needed for decisions
• Context Handler: Normalizes requests and communicates between components

XACML Decision Values:

• Permit — Access allowed
• Deny — Access denied
• Indeterminate — Error or missing information
• NotApplicable — No policy covers this request

Modern ABAC: Open Policy Agent (OPA)

OPA has emerged as the de facto standard for policy-as-code in cloud-native environments:

# OPA Policy in Rego language
package authorization

default allow = false

allow {
    input.method == "GET"
    input.path == ["documents", _]
    input.user.department == "engineering"
}

allow {
    input.method == "PUT"
    input.path == ["documents", doc_id]
    input.user.id == data.documents[doc_id].owner
}

Authorization failures are among the most common and severe security vulnerabilities. OWASP consistently ranks Broken Access Control as a top web application risk.

Insecure Direct Object Reference (IDOR)

Occurs when an application exposes internal object identifiers without proper authorization checks:

Vulnerable Pattern:

GET /api/documents/12345  → Returns document 12345
GET /api/documents/12346  → Returns document 12346 (unauthorized!)

The application checks if the user is authenticated but doesn't verify they're authorized to access that specific document.

Mitigation:

• Always verify the requesting user has permission to access the specific object
• Use indirect references that map to object IDs only for authorized users
• Implement consistent authorization checks in data access layer

Privilege Escalation

Vertical Escalation: Gaining higher privileges than assigned

• Regular user accessing admin functions
• Exploiting flaws to elevate from user to admin

Horizontal Escalation: Accessing resources of peers

• User A accessing User B's data
• Same privilege level, different authorization scope

Causes:

• Missing authorization checks on sensitive functions
• Role manipulation through parameter tampering
• Session handling flaws that allow role switching

Broken Access Control Examples

Missing Authorization Check:

# VULNERABLE: No authorization check!
@app.route('/admin/users/<user_id>', methods=['DELETE'])
def delete_user(user_id):
    User.delete(user_id)
    return {'status': 'deleted'}

# SECURE: Verify admin role
@app.route('/admin/users/<user_id>', methods=['DELETE'])
@require_role('admin')  # Decorator enforces authorization
def delete_user(user_id):
    User.delete(user_id)
    return {'status': 'deleted'}

Client-Side Authorization (Dangerous):

// VULNERABLE: Authorization enforced only in UI
if (user.role === 'admin') {
    showAdminPanel();  // Attackers bypass this trivially
}

// SECURE: Server-side enforcement
// API returns 403 Forbidden for non-admins
// UI state reflects what server authorizes

Mass Assignment:

# VULNERABLE: Accepting all user-provided fields
@app.route('/profile', methods=['PUT'])
def update_profile():
    current_user.update(**request.json)  # Attacker sets {"role": "admin"}

# SECURE: Whitelist updatable fields
@app.route('/profile', methods=['PUT'])
def update_profile():
    allowed = ['name', 'email', 'avatar']
    updates = {k: v for k, v in request.json.items() if k in allowed}
    current_user.update(**updates)

Building robust authorization requires systematic design, consistent implementation, and continuous validation.

Design Principles

1. Centralize Authorization Logic

Don't scatter authorization checks throughout the codebase. Centralize in a policy service that all components consult:

                    ┌─────────────────────┐
                    │  Policy Decision    │
                    │     Point (PDP)     │
                    └──────────┬──────────┘
                               │
        ┌──────────┬───────────┼───────────┬──────────┐
        │          │           │           │          │
        ▼          ▼           ▼           ▼          ▼
   [API Gateway] [Service A] [Service B] [Service C] [UI]

2. Deny by Default

Implement fail-secure behavior: if authorization cannot be determined, deny access.

def check_authorization(user, resource, action) -> bool:
    try:
        return policy_engine.evaluate(user, resource, action)
    except Exception:
        log.error("Authorization decision failed - denying access")
        return False  # Fail secure

3. Layer Authorization Checks

Enforce authorization at multiple levels:

• Network layer: Firewall rules, network segmentation
• Application layer: API authorization, business logic checks
• Database layer: Row-level security, view restrictions

Data-Level Authorization

The most secure approach: filter unauthorized data at the query level, not in application code.

Insecure Pattern (Filter After Fetch):

-- Fetch ALL documents, then filter in code
SELECT * FROM documents;

-- Application code
filtered = [d for d in documents if d.owner_id == current_user.id]

Secure Pattern (Filter at Query):

-- Only fetch documents user is authorized to see
SELECT * FROM documents 
WHERE owner_id = :current_user_id 
   OR id IN (SELECT document_id FROM shared_access WHERE user_id = :current_user_id);

Row-Level Security (PostgreSQL):

-- Enable RLS on table
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;

-- Policy: Users see only their documents and shared documents
CREATE POLICY user_document_access ON documents
  USING (
    owner_id = current_setting('app.current_user_id')::int
    OR id IN (
      SELECT document_id FROM shared_access 
      WHERE user_id = current_setting('app.current_user_id')::int
    )
  );

Microservices and API Authorization

Distributed systems complicate authorization: how do services authorize requests when they can't see the original user context?

JWT-Based Authorization:

Encoded claims flow with requests through the service mesh:

[User] ---(JWT)---> [API Gateway] ---(JWT)---> [Service A] ---(JWT)---> [Service B]

JWT Payload:
{
  "sub": "user123",
  "roles": ["editor"],
  "permissions": ["read:documents", "write:documents"],
  "tenant": "acme-corp",
  "exp": 1704067200
}

Each service validates the token signature and makes authorization decisions based on claims.

Limitations:

• Tokens can be stolen and replayed
• Claims are static until token expires
• Large claim sets inflate token size
• Revocation is difficult for stateless JWTs

Zero Trust Authorization

Zero Trust extends authorization beyond yes/no decisions to continuous, risk-based evaluation:

Principles:

1. Verify explicitly — Always authenticate and authorize based on all available data points
2. Use least privilege access — Limit access with just-in-time and just-enough-access
3. Assume breach — Minimize blast radius and segment access to contain compromises

Contextual Authorization Signals:

• User identity and authentication strength
• Device health and compliance status
• Network location and connection security
• Time and access patterns
• Resource sensitivity classification
• Threat intelligence indicators

Dynamic Access Decisions:

if (risk_score > threshold) {
    require_step_up_authentication();
}
if (device.compliance == 'non_compliant') {
    limit_access_to_low_sensitivity();
}
if (location == 'unknown' && time == 'unusual') {
    trigger_additional_verification();
}

Relationship-Based Authorization (ReBAC)

Authorization based on relationships between entities rather than static attributes:

// Google Zanzibar-style relationship tuples
document:report#viewer@user:alice
document:report#owner@user:bob
folder:engineering#member@group:engineers
group:engineers#member@user:alice

// Query: Can alice view report?
// Traverses: alice -> engineers -> engineering folder -> inherited viewer

ReBAC excels when access depends on how entities relate: file sharing, team membership, hierarchical resources.

Authorization—determining what authenticated entities may do—is essential for enforcing security policy. Without proper authorization, even perfect authentication leaves systems vulnerable. Let's consolidate the key concepts:

What's Next:

With authentication (proving identity) and authorization (controlling access) established, we now explore Non-repudiation—the mechanisms that ensure entities cannot deny having performed actions, providing the accountability and auditability essential for security governance.