Authorization in Action you own this product

Build policy-based access control for Zero Trust, APIs, SaaS, and AI agents

Phil Windley

MEAP began September 2025
Last updated March 2026
Publication in Fall 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

resources: Book forum

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Managing relationships through digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy

7.1 Introducing Cedar

7.2 Policy structure: effect, scope, and conditions

7.2.1 Effect: what the policy does

7.2.2 Scope: when the policy applies

7.2.3 Conditions: under what circumstances

7.2.4 Putting it together

7.3 The PARC model: understanding policy evaluation

7.3.1 Cedar’s representation of PARC

7.3.2 Evaluating policies

7.3.3 Combining results from multiple policies

7.3.4 PARC as the bridge

7.4 Cedar’s unique design

7.4.1 Strong data types

7.4.2 Rich entity model

7.4.3 Clear namespace and type safety

7.4.4 What Cedar doesn’t include

7.4.5 Minimal operators with maximum impact

7.4.6 Safe and analyzable by design

7.4.7 Clean, simple, and powerful

7.5 Cedar’s distinctive strengths

7.6 Summary

8 Policy languages and frameworks

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary

9 Implementing policies with Cedar

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary

10 Policy as code: Effective authorization policies

10.1 Principles of effective authorization policies

10.1.1 Clarity and consistency

10.1.2 Least privilege

10.1.3 Separation of policy and data

10.1.4 Granularity and grouping

10.1.5 Stability across change

10.1.6 From principles to practice

10.2 Policy as code in practice

10.2.1 Schemas and validation

10.2.2 Versioning and review

10.2.3 Operational considerations

10.2.4 Continuous integration for policies

10.3 Testing policies effectively

10.4 Pulling it together

10.5 Summary

11 Authorization for APIs

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary

12 Authorization context

12.1 Policy Information Points (PIPs)

12.2 Entities: principals and resources

12.3 Signals and their delivery

12.3.1 What the signals are

12.3.2 How signals are delivered

12.3.3 ACME’s delivery choices

12.4 Freshness, caching, and revocation

12.4.1 The freshness spectrum

12.4.2 Caching strategies

12.4.3 Revocation and signal updates

12.4.4 ACME’s approach to freshness

12.5 Transmission and integrity of signals

12.5.1 How signals move

12.5.2 Protecting signals in transit

12.5.3 Limiting signal scope

12.6 Authorization context normalization

12.6.1 The normalization layer

12.6.2 Benefits of normalization

12.6.3 Extending SSF inside the organization

12.6.4 The broader lesson

12.7 Putting it all together

12.8 Summary

13 Using policy engines with existing systems

13.1 From internal tool to external service: ACME’s next chapter

13.2 Understanding the starting point

13.3 Identity and tenancy foundation for C³

13.3.1 From project IDs to tenants

13.3.2 Unified customer identity via OIDC

13.3.3 Device posture for ACME employees

13.4 Designing for externalized authorization

13.4.1 Platform and tenant PDPs

13.4.2 Deployment options for tenant PDPs

13.4.3 Authorization flow request

13.5 Policy enforcement points in the stack

13.5.1 Global enforcement: the ACME Gateway

13.5.2 Tenant-level enforcement: collaboration services

13.5.3 UI and client-side enforcement

13.5.4 Consistency through shared components

13.5.5 Operational trade-offs

13.5.6 Three layers of policy

13.5.7 Shared schema and type safety

13.5.8 Policy lifecycle and distribution

13.5.9 Governance and safety

13.5.10 Benefits of the layered model

13.6 Case studies inside ACME

13.6.1 Case 1: Cross-tenant legal review

13.6.2 Case 2: Support escalation

13.6.3 Case 3: Custom collaboration template

13.6.4 Case 4: Automated backup verification

13.6.5 Lessons from the pilots

13.7 Putting lessons into practice

13.7.1 Key insights

13.7.2 Integration checklist

13.7.3 Looking ahead

13.8 Summary

14 Policy governance

14.1 Why governance matters for authorization

14.2 The policy management lifecycle

14.2.1 Create

14.2.2 Review and approve

14.2.3 Deploy and use

14.2.4 Monitor

14.2.5 Update

14.2.6 Retire

14.3 Governance frameworks for policy management

14.3.1 The structure of governance

14.3.2 Roles and responsibilities

14.4 Identity Governance and Administration (IGA) and policy governance

14.5 Regulatory compliance and authorization

14.6 Best practices for policy governance

14.6.1 Establish clear ownership and accountability

14.6.2 Use shared templates and metadata

14.6.3 Integrate governance into existing workflows

14.6.4 Close the feedback loop

14.6.5 Align with identity governance

14.6.6 Measure and iterate

14.7 Governance as the foundation of trust

14.8 Summary

15 Security, zero trust, and authorization

15.1 Rethinking security for the Zero Trust era

15.2 Authorization is the foundation of Zero Trust

15.3 Policies for zero trust

15.3.1 Foundational security policies

15.3.2 Shared operational policies

15.3.3 Application policies

15.3.4 Putting the layers together

15.4 Using policy to control access

15.5 Measuring progress toward zero trust

15.5.1 Policy coverage

15.5.2 Signal quality

15.5.3 Decision consistency

15.5.4 Reduced perimeter reliance

15.5.5 Decline in authorization exceptions

15.6 Beyond security: the organizational payoff

15.6.1 Better alignment between teams

15.6.2 Improved auditability and incident response

15.6.3 Greater agility for product development

15.6.4 Improved governance and transparency

15.6.5 A more resilient security posture

15.6.6 More reliable access for legitimate users

15.7 The full payoff

15.8 Summary

16 Using verifiable credentials for authorization

16.1 Why authorization needs verifiable credentials

16.2 How verifiable credentials work

16.2.1 Credential presentation

16.2.2 Example: Contractor access using verifiable credentials

16.3 Trusting credential issuers

16.3.1 Example: ACME onboards AuditsRUs as a trusted issuer

16.3.2 Building and maintaining ACME’s trust store

16.4 Credential freshness, revocation, and assurance

16.5 Requesting verifiable credential presentations

16.6 Using verifiable credentials with policies

16.6.1 Allow access only to auditors from accredited firms

16.6.2 Require current certification from an accredited authority

16.7 Protocols and ecosystem integration

16.8 Applying verifiable credentials across ACME’s products

16.8.1 Supplier portal: Representing supplier authority across multi-tier relationships

16.8.2 Clinic integration: Clinicians from external organizations

16.8.3 Field technicians: Employer-issued scope-of-work credentials

16.8.4 Customer Collaboration Cloud (C³): Project-scoped roles in a multi-tenant platform

16.9 Operational and governance considerations

16.9.1 Deciding when to use verifiable credentials

16.9.2 Failure modes and fallback paths

16.9.3 Governance responsibilities

16.9.4 Rolling out verifiable credentials incrementally

16.10 Summary

17 AI in policy practice

18 Authorization in agentic AI

19 Conclusion

Appendix

Appendix A: End-to-end example with Amazon Verified Permissions

A.1 Prerequisites

A.2 Create a policy store

A.3 Upload the Cedar schema

A.4 Uploading policies to AVP

A.4.1 View policies

A.4.2 Owner can do everything policy

A.4.3 Employees can share documents that are delegatable

A.4.4 Forbid access from unmanaged devices

A.5 Defining entities

A.5.1 Employees

A.5.2 Customers

A.5.3 Teams

A.5.4 Document

A.5.5 Using the entity definitions

A.6 Evaluating authorization requests

A.6.1 Owner actions

A.6.2 Customer viewing

A.6.3 Employee sharing

A.6.4 Unmanaged devices

A.7 Wrapping up the end-to-end example

Appendix B: Step-by-step AI-assisted policy authoring

B.1 Why AI assistance is useful in policy authoring

B.2 Recap: the ACME policy environment

B.3 Getting set up: the companion repository and Cursor

B.4 Providing the right context to the AI

B.5 A human-in-the-loop authoring workflow

B.6 Steps for modifying a policy set to achieve a specific outcome

B.7 Guardrails and review checklist

B.8 Key takeaways

Overview

1 Why authorization matters: Securing access in a digital world

Authorization is presented as a foundational capability for modern digital systems, not merely a security checklist item. The chapter uses the Target breach to show how weak access boundaries can turn a compromised credential into a major incident, emphasizing the distinction between authentication—knowing who is making a request—and authorization—deciding what that entity is allowed to do. It also explains that digital identity systems exist to manage relationships by recognizing, remembering, and relating to people, services, devices, organizations, and even AI agents. In this view, authorization is central both to protecting systems and to enabling product features such as document sharing, tenant isolation, and delegated access.

The chapter argues that traditional authorization methods such as access control lists, groups, and roles are often too static for today’s distributed, multi-tenant, cloud-based environments. As systems grow, these approaches become difficult to scale, maintain, audit, and secure; they also struggle with contextual decisions involving time, location, device posture, consent, temporary access, or regulatory requirements. Dynamic authorization addresses these problems by evaluating access requests at runtime using explicit, machine-readable policies. Policy-based access control externalizes authorization logic from application code, making decisions more consistent, flexible, auditable, and aligned with zero trust principles, SaaS needs, IoT deployments, regulatory compliance, and emerging AI use cases.

The chapter also introduces two complementary ways to represent dynamic authorization: Policy as Code and Policy as Data. Policy as Code treats access rules like software, allowing them to be versioned, tested, reviewed, and deployed through normal engineering practices. Policy as Data stores relationships, attributes, permissions, or resource metadata in structured systems that policy engines can query when making decisions. Together, these approaches let organizations automate access management, reduce operational costs, improve onboarding and offboarding, support fine-grained customer experiences, adapt quickly to business changes, and strengthen compliance. The chapter concludes that dynamic authorization is a strategic architectural capability that helps organizations build systems that are safer, more adaptable, easier to govern, and better prepared for innovation.

Embedding access logic throughout application code (left) creates tight coupling. Externalizing authorization into a separate component (right) makes access policies explicit, decouples decision-making from application behavior, and enables scalable, auditable access control.

Dynamic authorization can represent policy in two complementary ways. On the left, Policy as Code stores machine-readable policies in a repository that the access logic evaluates at runtime. On the right, Policy as Data stores relationships and attributes in a structured data store that the same access logic uses to determine decisions. Both approaches externalize policy from the application while supporting different kinds of flexibility.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero-trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demands more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

Why does authorization matter in modern digital systems?

Authorization matters because authentication only answers “who is making the request,” while authorization answers “what is that entity allowed to do.” Modern systems must control access across users, services, devices, partners, tenants, and AI agents. Strong authorization prevents breaches, supports compliance, enables product features like sharing and delegation, and helps organizations scale securely.

What lesson does the Target breach teach about authorization?

The Target breach shows that knowing who has access is not enough; organizations must also strictly control what that access permits. Attackers used stolen credentials from an HVAC contractor, whose legitimate access should have been limited to vendor-related systems. Weak authorization boundaries allowed the attackers to move beyond those systems and reach payment infrastructure, contributing to a massive breach.

What is the difference between authentication and authorization?

Authentication, often abbreviated as authn, determines whether an entity is who it claims to be. Authorization, often abbreviated as authz, determines what that authenticated entity is allowed to access or do. Authentication recognizes the entity; authorization controls the permitted actions on resources.

Why are traditional authorization methods like ACLs, groups, and roles often insufficient?

Traditional methods are often static, relying on preconfigured lists, groups, or role assignments. As systems grow, these approaches become difficult to scale, maintain, audit, and adapt to changing context. They can lead to over-permissioning, role proliferation, inconsistent policy enforcement, and poor visibility into who has access to what.

What is dynamic authorization?

Dynamic authorization makes access decisions at runtime using policies, attributes, relationships, and request context. Instead of relying only on static permissions, it can consider factors such as time, location, device posture, user role, department, consent, risk level, or whether someone is currently on call. This allows access control to be more flexible, fine-grained, auditable, and responsive to change.

What is policy-based access control, or PBAC?

Policy-based access control, or PBAC, externalizes authorization logic from application code and places it in policies evaluated by a policy engine. This makes access decisions explicit, easier to maintain, easier to audit, and more consistent across systems. PBAC helps organizations implement fine-grained and scalable access control without scattering authorization rules throughout application code or databases.

How does dynamic authorization support zero trust security?

Zero trust assumes breach and requires every access request to be evaluated rather than trusting users or systems simply because they are inside a network perimeter. Dynamic authorization supports this model by making fast, context-aware decisions for each request. Policies can consider factors such as device health, user attributes, resource sensitivity, location, and risk signals.

What is the difference between Policy as Code and Policy as Data?

Policy as Code represents authorization rules as machine-readable, version-controlled policy text that can be tested, reviewed, deployed, and audited like software. Policy as Data represents access-related information as structured data, such as relationships, roles, attributes, or permissions stored in a database or graph. Policy as Code is useful for broad reusable rules, while Policy as Data is useful for dynamic relationships and fine-grained permissions.

Why do SaaS applications need strong authorization?

SaaS applications are usually multi-tenant, meaning many customers use the same service instance. Authorization ensures that each customer’s data is isolated while also allowing each tenant to define internal access for employees, administrators, contractors, and partners. Strong authorization also enables product features such as team sharing, delegated access, subscription-based functionality, and customer-specific access policies.

What are the business benefits of dynamic authorization?

Dynamic authorization can reduce operational costs, lower administrative overhead, decrease over-permissioning, improve onboarding and offboarding, reduce access-related support tickets, and simplify audits. It also improves business agility by making access changes easier, strengthens compliance, enables better customer experiences, and can provide competitive differentiation through secure, flexible product features.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $39.19

you save $16.80 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $39.19

you save $16.80 (30%)

eBook

pdf, ePub, online

$55.99 $39.19

you save $16.80 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more