Authorization in Action you own this product

Build policy-based access control for Zero Trust, APIs, SaaS, and AI agents

Phil Windley

MEAP began September 2025
Last updated May 2026
Publication in Fall 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

resources: Source code Book forum Source code on Github

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Managing relationships through digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy

7.1 Introducing Cedar

7.2 Policy structure: effect, scope, and conditions

7.2.1 Effect: what the policy does

7.2.2 Scope: when the policy applies

7.2.3 Conditions: under what circumstances

7.2.4 Putting it together

7.3 The PARC model: understanding policy evaluation

7.3.1 Cedar’s representation of PARC

7.3.2 Evaluating policies

7.3.3 Combining results from multiple policies

7.3.4 PARC as the bridge

7.4 Cedar’s unique design

7.4.1 Strong data types

7.4.2 Rich entity model

7.4.3 Clear namespace and type safety

7.4.4 What Cedar doesn’t include

7.4.5 Minimal operators with maximum impact

7.4.6 Safe and analyzable by design

7.4.7 Clean, simple, and powerful

7.5 Cedar’s distinctive strengths

7.6 Summary

8 Policy languages and frameworks

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary

9 Implementing policies with Cedar

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary

10 Policy as code: Effective authorization policies

10.1 Principles of effective authorization policies

10.1.1 Clarity and consistency

10.1.2 Least privilege

10.1.3 Separation of policy and data

10.1.4 Granularity and grouping

10.1.5 Stability across change

10.1.6 From principles to practice

10.2 Policy as code in practice

10.2.1 Schemas and validation

10.2.2 Versioning and review

10.2.3 Operational considerations

10.2.4 Continuous integration for policies

10.3 Testing policies effectively

10.4 Pulling it together

10.5 Summary

11 Authorization for APIs

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary

12 Authorization context

12.1 Policy Information Points (PIPs)

12.2 Entities: principals and resources

12.3 Signals and their delivery

12.3.1 What the signals are

12.3.2 How signals are delivered

12.3.3 ACME’s delivery choices

12.4 Freshness, caching, and revocation

12.4.1 The freshness spectrum

12.4.2 Caching strategies

12.4.3 Revocation and signal updates

12.4.4 ACME’s approach to freshness

12.5 Transmission and integrity of signals

12.5.1 How signals move

12.5.2 Protecting signals in transit

12.5.3 Limiting signal scope

12.6 Authorization context normalization

12.6.1 The normalization layer

12.6.2 Benefits of normalization

12.6.3 Extending SSF inside the organization

12.6.4 The broader lesson

12.7 Putting it all together

12.8 Summary

13 Using policy engines with existing systems

13.1 From internal tool to external service: ACME’s next chapter

13.2 Understanding the starting point

13.3 Identity and tenancy foundation for C³

13.3.1 From project IDs to tenants

13.3.2 Unified customer identity via OIDC

13.3.3 Device posture for ACME employees

13.4 Designing for externalized authorization

13.4.1 Platform and tenant PDPs

13.4.2 Deployment options for tenant PDPs

13.4.3 Authorization flow request

13.5 Policy enforcement points in the stack

13.5.1 Global enforcement: the ACME Gateway

13.5.2 Tenant-level enforcement: collaboration services

13.5.3 UI and client-side enforcement

13.5.4 Consistency through shared components

13.5.5 Operational trade-offs

13.5.6 Three layers of policy

13.5.7 Shared schema and type safety

13.5.8 Policy lifecycle and distribution

13.5.9 Governance and safety

13.5.10 Benefits of the layered model

13.6 Case studies inside ACME

13.6.1 Case 1: Cross-tenant legal review

13.6.2 Case 2: Support escalation

13.6.3 Case 3: Custom collaboration template

13.6.4 Case 4: Automated backup verification

13.6.5 Lessons from the pilots

13.7 Putting lessons into practice

13.7.1 Key insights

13.7.2 Integration checklist

13.7.3 Looking ahead

13.8 Summary

14 Policy governance

14.1 Why governance matters for authorization

14.2 The policy management lifecycle

14.2.1 Create

14.2.2 Review and approve

14.2.3 Deploy and use

14.2.4 Monitor

14.2.5 Update

14.2.6 Retire

14.3 Governance frameworks for policy management

14.3.1 The structure of governance

14.3.2 Roles and responsibilities

14.4 Identity Governance and Administration (IGA) and policy governance

14.5 Regulatory compliance and authorization

14.6 Best practices for policy governance

14.6.1 Establish clear ownership and accountability

14.6.2 Use shared templates and metadata

14.6.3 Integrate governance into existing workflows

14.6.4 Close the feedback loop

14.6.5 Align with identity governance

14.6.6 Measure and iterate

14.7 Governance as the foundation of trust

14.8 Summary

15 Security, zero trust, and authorization

15.1 Rethinking security for the Zero Trust era

15.2 Authorization is the foundation of Zero Trust

15.3 Policies for zero trust

15.3.1 Foundational security policies

15.3.2 Shared operational policies

15.3.3 Application policies

15.3.4 Putting the layers together

15.4 Using policy to control access

15.5 Measuring progress toward zero trust

15.5.1 Policy coverage

15.5.2 Signal quality

15.5.3 Decision consistency

15.5.4 Reduced perimeter reliance

15.5.5 Decline in authorization exceptions

15.6 Beyond security: the organizational payoff

15.6.1 Better alignment between teams

15.6.2 Improved auditability and incident response

15.6.3 Greater agility for product development

15.6.4 Improved governance and transparency

15.6.5 A more resilient security posture

15.6.6 More reliable access for legitimate users

15.7 The full payoff

15.8 Summary

16 Using verifiable credentials for authorization

16.1 Why authorization needs verifiable credentials

16.2 How verifiable credentials work

16.2.1 Credential presentation

16.2.2 Example: Contractor access using verifiable credentials

16.3 Trusting credential issuers

16.3.1 Example: ACME onboards AuditsRUs as a trusted issuer

16.3.2 Building and maintaining ACME’s trust store

16.4 Credential freshness, revocation, and assurance

16.5 Requesting verifiable credential presentations

16.6 Using verifiable credentials with policies

16.6.1 Allow access only to auditors from accredited firms

16.6.2 Require current certification from an accredited authority

16.7 Protocols and ecosystem integration

16.8 Applying verifiable credentials across ACME’s products

16.8.1 Supplier portal: Representing supplier authority across multi-tier relationships

16.8.2 Clinic integration: Clinicians from external organizations

16.8.3 Field technicians: Employer-issued scope-of-work credentials

16.8.4 Customer Collaboration Cloud (C³): Project-scoped roles in a multi-tenant platform

16.9 Operational and governance considerations

16.9.1 Deciding when to use verifiable credentials

16.9.2 Failure modes and fallback paths

16.9.3 Governance responsibilities

16.9.4 Rolling out verifiable credentials incrementally

16.10 Summary

17 AI in policy practice

17.1 AI is not your policy engine

17.2 Policy authoring and analysis with AI

17.2.1 Explaining existing behavior

17.2.2 Exploring alternative expressions of intent

17.2.3 Using concrete requests to ground analysis

17.2.4 Human judgment remains central

17.3 What AI can tell you about your authorization policies

17.3.1 Seeing what policies really do

17.3.2 Identifying gaps and edge cases

17.3.3 Asking better questions

17.3.4 From observation to accountability

17.4 Authorization before retrieval: making RAG safe by construction

17.4.1 A quick review of how RAG works

17.4.2 Retrieval is the enforcement boundary

17.4.3 From architectural principle to concrete flow

17.4.4 Safe by construction, not safe by instruction

17.5 From architecture to accountability: how AI helps policy become practice

17.5.1 Accountability starts with observable decisions

17.5.2 Turning reports into responsibility

17.5.3 Closing the feedback loop

17.5.4 Why architecture makes accountability possible

17.5.5 Policy as practice

17.6 Summary

18 Authorization for AI agents

18.1 Why authorization is the hard problem in agentic AI

18.2 How agents interact with external systems

18.3 A policy-aware agent loop

18.3.1 Authorization as part of the feedback loop

18.3.2 Defining operational boundaries with policy

18.3.3 From predefined workflows to governed behavior

18.3.4 Practical implications

18.4 Beyond denial: guiding agent behavior with policy constraints

18.4.1 From reactive enforcement to constraint-aware planning

18.4.2 Integrating constraints into the planning loop

18.4.3 Reducing trial and error

18.4.4 Policy as a source of guidance

18.4.5 From control to collaboration

18.5 Childproofing the control plane

18.6 Delegation and subagents

18.6.1 Delegation as data

18.6.2 Enforcing delegation at runtime

18.6.3 Policies that enforce delegation

18.6.4 Allowed and denied behavior

18.6.5 Delegation as constrained authority

18.6.6 Extending the policy-aware architecture

18.7 Cross-domain delegation among agents

18.8 Summary

19 Authorization as strategy

19.1 When authorization became the hard problem

19.2 The architecture ACME built

19.3 When the CIO and CISO finally agreed

19.4 What changed inside ACME

19.5 Where most organizations are today

19.6 A practical path forward

19.7 The next era of digital trust

19.8 ACME’s next move

19.9 Deciding continuously

19.10 Summary

Appendix

Appendix A: End-to-end example with Amazon Verified Permissions

A.1 Prerequisites

A.2 Create a policy store

A.3 Upload the Cedar schema

A.4 Uploading policies to AVP

A.4.1 View policies

A.4.2 Owner can do everything policy

A.4.3 Employees can share documents that are delegatable

A.4.4 Forbid access from unmanaged devices

A.5 Defining entities

A.5.1 Employees

A.5.2 Customers

A.5.3 Teams

A.5.4 Document

A.5.5 Using the entity definitions

A.6 Evaluating authorization requests

A.6.1 Owner actions

A.6.2 Customer viewing

A.6.3 Employee sharing

A.6.4 Unmanaged devices

A.7 Wrapping up the end-to-end example

Appendix B: Step-by-step AI-assisted policy authoring

B.1 Why AI assistance is useful in policy authoring

B.2 Recap: the ACME policy environment

B.3 Getting set up: the companion repository and Cursor

B.4 Providing the right context to the AI

B.5 A human-in-the-loop authoring workflow

B.6 Steps for modifying a policy set to achieve a specific outcome

B.7 Guardrails and review checklist

B.8 Key takeaways

Appendix C: Cedar authorization with OpenClaw agents

C.1 How these demos are structured

C.2 Prerequisites

C.3 Demo 1: reactive authorization

C.3.1 Start the PDP and verify it’s working

C.3.2 Run the live agent

C.3.3 Observe denied behavior

C.3.4 Observe agent replanning

C.3.5 What this demo shows

C.4 Demo 2: constraint-aware planning

C.4.1 Start the PDP and verify that query constraints are working

C.4.2 Run the agent with constraint awareness

C.4.3 How policy residuals guide the agent

C.4.4 Compare with reactive behavior

C.5 Demo 3: delegation as data

C.5.1 A delegation record in practice

C.5.2 Policies behind delegation

C.5.3 Walk through the delegation notebook

C.5.4 What to observe

C.6 Wrapping up

Overview

1 Why authorization matters: Securing access in a digital world

Authorization is a foundational capability for modern digital systems because it determines not just who someone is, but what they are allowed to do. The chapter uses the Target breach as a cautionary example: attackers used stolen vendor credentials to move beyond the vendor’s legitimate access and reach sensitive payment systems, showing how weak authorization boundaries can turn a compromised account into a major incident. At the same time, authorization is not only a defensive security measure; it enables core product features in cloud services such as document sharing, multi-tenant SaaS, and large-scale platforms where different users, customers, devices, and services need carefully controlled access.

The chapter explains that traditional authorization approaches such as access control lists, groups, and role-based access control are often too static for today’s distributed, cloud-based, and multi-tenant environments. As systems grow, static permissions become difficult to scale, maintain, audit, and apply consistently. They struggle with changing context such as time, location, device posture, consent, job role, risk level, or temporary need. Dynamic authorization addresses these limitations by evaluating access requests at runtime using explicit, machine-readable policies. This makes access control more flexible, fine-grained, auditable, and aligned with zero trust principles, where every request must be evaluated rather than assumed safe.

The chapter presents policy-based access control as both an architectural pattern and a business enabler. By externalizing access decisions from application code, organizations can manage authorization through policies that are easier to test, update, review, and govern. It distinguishes between policies expressed as code, which define reusable rules, and policies represented as data, which capture relationships, attributes, and permissions that change over time; many systems need both. Dynamic authorization reduces operational costs, improves onboarding and offboarding, strengthens compliance, supports customer-facing features, enables faster product innovation, and helps organizations compete in environments shaped by SaaS, IoT, regulations, zero trust, and AI agents.

Embedding access logic throughout application code (left) creates tight coupling. Externalizing authorization into a separate component (right) makes access policies explicit, decouples decision-making from application behavior, and enables scalable, auditable access control.

Dynamic authorization can represent policy in two complementary ways. On the left, Policy as Code stores machine-readable policies in a repository that the access logic evaluates at runtime. On the right, Policy as Data stores relationships and attributes in a structured data store that the same access logic uses to determine decisions. Both approaches externalize policy from the application while supporting different kinds of flexibility.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero-trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demands more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What is the difference between authentication and authorization?

Authentication determines who is making a request, while authorization determines what that entity is allowed to do. Authentication is how a system recognizes an entity; authorization is how the system controls access to actions, resources, and data.

Why does the Target breach illustrate the importance of authorization?

The Target breach began with stolen credentials from an HVAC contractor, which was an authentication failure. But the breach became catastrophic because the attackers were able to use that vendor access to reach systems they should not have been able to access. This showed weak authorization boundaries and poor visibility into who could access what.

Why is digital identity described as managing relationships?

Digital identity systems exist to help systems recognize, remember, and relate to entities such as people, organizations, services, devices, or AI agents. Online systems must solve the “proximity problem” because interactions happen at a distance, so identity systems provide the foundation for knowing who or what is interacting with the system and how access should be handled.

What are the main limitations of traditional static authorization approaches?

Traditional approaches such as ACLs, groups, and roles are often static. They become difficult to scale, inflexible in dynamic situations, hard to maintain, inefficient in distributed systems, difficult to audit, prone to over-permissioning, and inconsistent across large organizations.

What is dynamic authorization?

Dynamic authorization makes access decisions at runtime using policies, request context, attributes, and relationships. Instead of relying only on fixed roles or static permission lists, it evaluates the current situation—such as user role, device posture, location, time, resource attributes, or approval status—to decide whether access should be allowed.

What is Policy-Based Access Control (PBAC)?

Policy-Based Access Control, or PBAC, externalizes access logic from application code and places it in policies evaluated by a policy engine. This makes authorization more flexible, fine-grained, auditable, and easier to maintain consistently across systems.

Why is authorization especially important for SaaS applications?

SaaS applications are usually multi-tenant, meaning many customers use the same service instance. Strong authorization is required to isolate each customer’s data while also supporting different roles and permissions within each customer’s organization. Dynamic authorization helps SaaS providers deliver secure, flexible product features at scale.

How does dynamic authorization support zero trust security?

Zero trust assumes that no user, device, or system should be trusted by default, even inside a network perimeter. It requires every access request to be evaluated. Dynamic authorization supports this by making fast, fine-grained decisions based on request context, identity attributes, resource attributes, and risk signals.

What is the difference between Policy as Code and Policy as Data?

Policy as Code represents authorization rules as machine-readable, version-controlled text that can be tested, reviewed, and deployed like software. Policy as Data represents permissions, relationships, and attributes as structured data, often stored in databases or graphs. Both can be used together to support flexible, scalable authorization.

What are the business benefits of dynamic authorization?

Dynamic authorization reduces operational costs, lowers administrative overhead, decreases over-permissioning, improves onboarding and offboarding, strengthens compliance, enables faster product innovation, improves customer experiences, and helps organizations differentiate through more flexible and secure access control features.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $27.99

you save $28.00 (50%)

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more