Dynamic Authorization you own this product

Adaptive access control

Phil Windley

MEAP began September 2025
Last updated September 2025
Publication in Summer 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Using authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy: a Cedar primer

8 Other policy languages and frameworks

9 Implementing policies with Cedar

10 Policy as code: An introduction

11 Designing effective authorization policies

12 Authorization for APIs

13 Authorization context

14 Verifiable credentials and authorization

15 Testing and validating policies

16 Using policy engines with existing systems

17 Challenges and considerations

18 Policy governance

19 Security, zero trust, and authorization

20 Authorization and artificial intelligence

21 Conclusion

Appendix

Appendix A: Using Cedar

Overview

1 Why authorization matters: Securing access in a digital world

Modern digital systems depend on more than proving who a user is; they must decide what that user, device, or service can do in each moment. This chapter argues that authorization is both a security control and an essential product capability, enabling collaboration, sharing, and safe multi-tenancy at internet scale. Using the Target breach as a cautionary tale, it shows how weak authorization boundaries and governance can turn a small compromise into a systemic failure, and contrasts that with the everyday ways strong authorization powers cloud platforms and apps—from document sharing to finely segmented access in hyperscale services.

Traditional, static approaches like ACLs, groups, and RBAC struggle in today’s dynamic environments. They don’t scale cleanly as users, resources, and actions multiply; they lack flexibility to factor in context (time, location, device health, approvals); they are hard to maintain without role and list sprawl; they are inefficient and opaque across distributed, multi-tenant systems; and they impede auditability, least privilege, and zero-trust goals. The result is over-permissioning, policy drift, and costly, error-prone custom logic that can’t keep pace with changes in org structure, regulations, or real-time risk.

Dynamic authorization addresses these gaps by evaluating fine-grained, context-aware policies at runtime. The chapter introduces policy-based access control and two complementary representations: Policy as Code (rules expressed in machine-readable, versioned policy languages, testable and automatable) and Policy as Data (relationship- and attribute-centric permissions managed and queried dynamically). Used together, they deliver scalability, flexibility, auditability, and performance required by SaaS, zero trust, IoT, and AI-driven applications. Beyond security, the business impact is significant: lower operational cost, faster onboarding/offboarding, fewer access tickets, greater agility for new products and partnerships, improved customer experiences, stronger compliance, and competitive differentiation—making dynamic authorization a strategic imperative.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demand more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What’s the difference between authentication and authorization?

Authentication determines who is making a request (identity). Authorization determines what that authenticated entity is allowed to do (permissions). Modern systems need both: knowing “who” isn’t enough without controlling “what” they can access.

What did the Target breach illustrate about authorization and access governance?

Attackers used a vendor’s stolen credentials to move beyond intended billing/project access and reach point-of-sale systems. Weak authorization boundaries, limited visibility into who-can-access-what, and delayed incident response turned a contained issue into a large breach—showing why strong, enforced, and observable authorization is critical.

Why do static methods like ACLs, groups, and RBAC fall short today?

Scalability: Lists/roles explode as principals, resources, and actions grow.
Flexibility: They don’t adapt to context (time, device, location, risk, approvals).
Maintainability: Role/ACL sprawl leads to over- or under-permissioning.
Inefficiency: Hard to coordinate across multi-tenant, distributed systems.
Auditability: Opaque, fragmented permissions make compliance hard.
Security: Stale, excess access violates least privilege and zero-trust goals.
Consistency/Transparency: Policies are hidden in code and lists, not centrally visible.

What is dynamic authorization and Policy-Based Access Control (PBAC)?

Dynamic authorization evaluates access at runtime using policies and context (who, what, action, risk, device, time, consent) instead of static lists. PBAC separates access logic from application code and uses a policy engine to make consistent, fine-grained, auditable decisions at scale.

What’s the difference between Policy as Code and Policy as Data?

Policy as Code: Rules written in a policy language, versioned, tested, and deployed like software; ideal for broad, reusable logic (for example, “only employees on secure, managed devices can access critical resources”).
Policy as Data: Access-relevant relationships/attributes stored as structured data (for example, document owner/editor/viewer graphs), ideal when each resource has unique, evolving relationships.

Should I choose Policy as Code or Policy as Data—and can they work together?

Most systems benefit from both. Use Policy as Code for universal rules (least privilege, device posture, approvals), and Policy as Data for per-resource relationships (owners, teams, folders). Combined, you get scalable, context-aware rules plus granular, user-driven sharing without changing code.

How does dynamic authorization enable zero-trust security?

Zero trust assumes breach and evaluates every request, not just session start. PBAC can check context each time (identity, device posture, risk, time, location, approvals) and enforce least privilege quickly enough to keep user experience smooth, making practical zero-trust deployments possible.

Where is dynamic authorization especially important (SaaS, IoT, AI)?

SaaS: Multi-tenancy, tenant isolation, and per-tenant rules; features like sharing, delegated admin, and tiered plans (for example, Google Docs, AWS, Salesforce).
IoT: Constrains device actions, adapts to environment and risk, and supports edge decisions for large, heterogeneous deployments.
AI/GenAI/RAG: Ensures responses only include data a user is permitted to see; controls what AI agents can do on a user’s behalf.

How does dynamic authorization improve compliance and auditability?

Policies encode regulatory requirements (for example, HIPAA purpose limits, SOX least privilege, GDPR consent). Engines log decisions for review, policies are version-controlled, and access revokes/expirations are automatic—making it easier to answer “who can access what and why?”

What business benefits can we expect from adopting dynamic authorization?

Lower costs: Fewer manual permission changes, reduced ticket volume, smoother onboarding/offboarding.
Agility: Faster product launches, partner onboarding, and responses to regulatory changes—often via policy updates, not code.
Better experiences: Right-time access, feature personalization, safer sharing, and subscription enforcement.
Competitive edge: Enterprise-grade security and flexibility without bespoke authorization code.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $27.99

you save $28.00 (50%)

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more