Awesome Authorization

A curated list of information and resources about authorization.

Contributions welcome! Please see the contribution guide.

Table of Contents

• Overview
• Authentication vs. Authorization
• Access Control Models
• Security Concerns
• Best Practices
• Useful Articles & Tutorials
• Authz In Practice
• Videos & Talks
• Books

---

Overview

Authorization / Authorisation / Authz - "the process of verifying that a requested action or service is approved for a specific entity" [NIST]

• OWASP Authorization Cheat Sheet
• Wikipedia

Authentication vs. Authorization

• Authentication - Determines who someone or something is (identity)
• Authorization - Determines what someone or something can do in a system (permissions)
• Understanding Authentication, Authorization, and Encryption

Access Control Models

• Role Based Access Control (RBAC)
• Attribute Based Access Control (ABAC)
• Graph Based Access Control (GBAC)
• Relationship Based Access Control (ReBAC)
• Organization Based Access Control (OrBAC)
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)

Security Concerns

• Broken access control is #1 on OWASP's Top 10 for 2021
• Insecure Direct Object Reference
  • IDOR & How to Protect Against It
  • The Rise of IDOR

Best Practices

• OWASP Recommendations
• Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
• As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
• Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
• Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.

Useful Articles & Tutorials

• Web App Access Control Design - A presentation highlighting best practices for implementing access control in web apps.
• Ask HN: Best Practices for Web Authorization? (2016)
• Implementing Role Based Access Control
• AWS - Authz & Access Control for SaaS Multi-tenant Apps
• Permissions Systems: Category Notes - An overview of the permissions systems landscape.

Authz In Practice

• Zanzibar: Google's Consistent, Global Authorization System
  • Airbnb's Himeji
  • Carta's AuthZ
• Open Policy Agent
• XACML
  • Intuit's AuthZ

Videos & Talks

• How Netflix Is Solving Authorization Across Their Cloud (2017)
• Hashicorp - Microservice Authentication and Authorization (2019)

Books

• Contributions welcome!