Dynamic Authorization you own this product

Adaptive access control

Phil Windley

MEAP began September 2025
Last updated February 2026
Publication in Summer 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

resources: Book forum

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy

7.1 Introducing Cedar

7.2 Policy structure: effect, scope, and conditions

7.2.1 Effect: what the policy does

7.2.2 Scope: when the policy applies

7.2.3 Conditions: under what circumstances

7.2.4 Putting it together

7.3 The PARC model: understanding policy evaluation

7.3.1 Cedar’s representation of PARC

7.3.2 Evaluating policies

7.3.3 Combining results from multiple policies

7.3.4 PARC as the bridge

7.4 Cedar’s unique design

7.4.1 Strong data types

7.4.2 Rich entity model

7.4.3 Clear namespace and type safety

7.4.4 What Cedar doesn’t include

7.4.5 Minimal operators with maximum impact

7.4.6 Safe and analyzable by design

7.4.7 Clean, simple, and powerful

7.5 Cedar’s distinctive strengths

7.6 Summary

8 Policy languages and frameworks

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary

9 Implementing policies with Cedar

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary

10 Policy as code: Effective authorization policies

10.1 Principles of effective authorization policies

10.1.1 Clarity and consistency

10.1.2 Least privilege

10.1.3 Separation of policy and data

10.1.4 Granularity and grouping

10.1.5 Stability across change

10.1.6 From principles to practice

10.2 Policy as code in practice

10.2.1 Schemas and validation

10.2.2 Versioning and review

10.2.3 Operational considerations

10.2.4 Continuous integration for policies

10.3 Testing policies effectively

10.4 Pulling it together

10.5 Summary

11 Authorization for APIs

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary

12 Authorization context

12.1 Policy Information Points (PIPs)

12.2 Entities: principals and resources

12.3 Signals and their delivery

12.3.1 What the signals are

12.3.2 How signals are delivered

12.3.3 ACME’s delivery choices

12.4 Freshness, caching, and revocation

12.4.1 The freshness spectrum

12.4.2 Caching strategies

12.4.3 Revocation and signal updates

12.4.4 ACME’s approach to freshness

12.5 Transmission and integrity of signals

12.5.1 How signals move

12.5.2 Protecting signals in transit

12.5.3 Limiting signal scope

12.6 Authorization context normalization

12.6.1 The normalization layer

12.6.2 Benefits of normalization

12.6.3 Extending SSF inside the organization

12.6.4 The broader lesson

12.7 Putting it all together

12.8 Summary

13 Using policy engines with existing systems

13.1 From internal tool to external service: ACME’s next chapter

13.2 Understanding the starting point

13.3 Identity and tenancy foundation for C³

13.3.1 From project IDs to tenants

13.3.2 Unified customer identity via OIDC

13.3.3 Device posture for ACME employees

13.4 Designing for externalized authorization

13.4.1 Platform and tenant PDPs

13.4.2 Deployment options for tenant PDPs

13.4.3 Authorization flow request

13.5 Policy enforcement points in the stack

13.5.1 Global enforcement: the ACME Gateway

13.5.2 Tenant-level enforcement: collaboration services

13.5.3 UI and client-side enforcement

13.5.4 Consistency through shared components

13.5.5 Operational trade-offs

13.5.6 Three layers of policy

13.5.7 Shared schema and type safety

13.5.8 Policy lifecycle and distribution

13.5.9 Governance and safety

13.5.10 Benefits of the layered model

13.6 Case studies inside ACME

13.6.1 Case 1: Cross-tenant legal review

13.6.2 Case 2: Support escalation

13.6.3 Case 3: Custom collaboration template

13.6.4 Case 4: Automated backup verification

13.6.5 Lessons from the pilots

13.7 Putting lessons into practice

13.7.1 Key insights

13.7.2 Integration checklist

13.7.3 Looking ahead

13.8 Summary

14 Policy governance

14.1 Why governance matters for authorization

14.2 The policy management lifecycle

14.2.1 Create

14.2.2 Review and approve

14.2.3 Deploy and use

14.2.4 Monitor

14.2.5 Update

14.2.6 Retire

14.3 Governance frameworks for policy management

14.3.1 The structure of governance

14.3.2 Roles and responsibilities

14.4 Identity Governance and Administration (IGA) and policy governance

14.5 Regulatory compliance and authorization

14.6 Best practices for policy governance

14.6.1 Establish clear ownership and accountability

14.6.2 Use shared templates and metadata

14.6.3 Integrate governance into existing workflows

14.6.4 Close the feedback loop

14.6.5 Align with identity governance

14.6.6 Measure and iterate

14.7 Governance as the foundation of trust

14.8 Summary

15 Security, zero trust, and authorization

15.1 Rethinking security for the Zero Trust era

15.2 Authorization is the foundation of Zero Trust

15.3 Policies for zero trust

15.3.1 Foundational security policies

15.3.2 Shared operational policies

15.3.3 Application policies

15.3.4 Putting the layers together

15.4 Using policy to control access

15.5 Measuring progress toward zero trust

15.5.1 Policy coverage

15.5.2 Signal quality

15.5.3 Decision consistency

15.5.4 Reduced perimeter reliance

15.5.5 Decline in authorization exceptions

15.6 Beyond security: the organizational payoff

15.6.1 Better alignment between teams

15.6.2 Improved auditability and incident response

15.6.3 Greater agility for product development

15.6.4 Improved governance and transparency

15.6.5 A more resilient security posture

15.6.6 More reliable access for legitimate users

15.7 The full payoff

15.8 Summary

16 Using verifiable credentials for authorization

17 AI in policy practice

18 Authorization in agentic AI

19 Conclusion

Appendix

Appendix A: End-to-end example with Amazon Verified Permissions

A.1 Prerequisites

A.2 Create a policy store

A.3 Upload the Cedar schema

A.4 Uploading policies to AVP

A.4.1 View policies

A.4.2 Owner can do everything policy

A.4.3 Employees can share documents that are delegatable

A.4.4 Forbid access from unmanaged devices

A.5 Defining entities

A.5.1 Employees

A.5.2 Customers

A.5.3 Teams

A.5.4 Document

A.5.5 Using the entity definitions

A.6 Evaluating authorization requests

A.6.1 Owner actions

A.6.2 Customer viewing

A.6.3 Employee sharing

A.6.4 Unmanaged devices

A.7 Wrapping up the end-to-end example

Appendix B: Step-by-step AI-assisted policy authoring

B.1 Why AI assistance is useful in policy authoring

B.2 Recap: the ACME policy environment

B.3 Getting set up: the companion repository and Cursor

B.4 Providing the right context to the AI

B.5 A human-in-the-loop authoring workflow

B.6 Steps for modifying a policy set to achieve a specific outcome

B.7 Guardrails and review checklist

B.8 Key takeaways

Overview

1 Why authorization matters: Securing access in a digital world

Modern digital systems depend on more than verifying who a user is—they must also control precisely what that user can do. This chapter illustrates the stakes with the 2013 Target breach, where weak authorization boundaries turned a contractor credential compromise into a major incident. It explains how digital identity underpins both security and product functionality: authentication recognizes entities, accounts remember them, and authorization governs their actions. Far beyond protecting IT, authorization enables core experiences in cloud apps and platforms—such as document sharing, multi-tenant isolation, and fine-grained controls at global scale.

Traditional, static approaches like ACLs and RBAC struggle with today’s scale and complexity. They are hard to maintain, inflexible to context (device, time, location, risk), inefficient across distributed systems, opaque to audit, and prone to over-permissioning—undermining both security and compliance. Dynamic authorization addresses these gaps by evaluating policies at runtime, enabling just-in-time and context-aware decisions. The chapter introduces policy-based access control (PBAC) and two complementary representations: Policy as Code (general, reusable, testable rules) and Policy as Data (relationship- and attribute-driven permissions). Used together, they deliver scalable, fine-grained, auditable, and consistent decisions required by zero trust, multi-tenancy, consent-based access, PAM, and complex domain rules.

Authorization has become a strategic business capability. Trends like SaaS, zero trust, IoT, evolving regulations, and AI agents demand flexible, fine-grained controls that are easy to change and prove. Dynamic authorization reduces operational costs (fewer manual changes and access tickets, safer onboarding/offboarding), improves agility (policy changes over code changes), enhances customer experience (secure sharing, tiered features, per-tenant rules), and strengthens security and compliance (least privilege, contextual access, comprehensive logging). Treating authorization as a core platform—rather than scattered logic in apps—turns a liability into a differentiator and equips organizations to scale securely and compete effectively.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero-trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demands more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What’s the difference between authentication and authorization, and why do both matter?

Authentication verifies who is making a request; authorization determines what that entity is allowed to do. Strong authentication without precise authorization still leaves systems exposed. The Target breach shows that once attackers impersonated a vendor (authentication failure), weak authorization boundaries let them reach critical systems. Modern apps like Google Docs and AWS also rely on authorization to safely enable sharing, delegation, and multi-tenant isolation.

What did the 2013 Target breach reveal about weak authorization?

Attackers phished an HVAC contractor, used the stolen credentials to enter Target’s network, and moved to point-of-sale systems. The core failures were poor authorization boundaries (vendor access wasn’t limited to necessary systems), limited visibility into who could access what, and slow incident response despite alerts. The result was large-scale data theft and major financial and reputational damage.

Why do static access controls like ACLs and RBAC fall short in modern environments?

Static models rely on fixed lists and roles, which struggle with: - Scalability: exploding principals, actions, and resources. - Flexibility: can’t easily use context (time, location, device posture) or approvals. - Maintainability: role/ACL sprawl, over- and under-permissioning. - Inefficiency: combinatorial group growth in multi-tenant/distributed systems. - Auditability and transparency: hard to answer “who has access to what?” or prove compliance. - Security: lingering excess privileges and partial Zero Trust coverage.

What is dynamic authorization and Policy-Based Access Control (PBAC)?

Dynamic authorization evaluates access at runtime using policies, decoupled from application code. A policy engine considers context (e.g., device, time, consent, department) to allow or deny requests. PBAC provides fine-grained, auditable, and consistent decisions across services, scaling better than hardcoded rules or static lists.

How do Policy as Code and Policy as Data differ, and when should I use each?

- Policy as Code: Policies are written like software (versioned, tested, CI/CD), ideal for broad, reusable rules (e.g., “Only employees on managed devices can access critical resources”). Example languages include Cedar. - Policy as Data: Access logic is captured as relationships/attributes (e.g., document owners, editors, folder hierarchies) stored in a database/graph and evaluated at runtime. Most systems need both: code for global/contextual rules and data for per-resource relationships, often combined in one decision.

How does dynamic authorization enable Zero Trust?

Zero Trust assumes breach and authorizes every request, not just session start. PBAC evaluates each action against current context (identity, device posture, risk, location, time). This per-request, fine-grained decisioning is impractical with static lists but achievable and performant with a policy engine.

How does dynamic authorization improve compliance and auditability?

Policies can encode least privilege, separation of duties, consent requirements, and time-bound access. Because policies are explicit, versioned, and enforced centrally, auditors can review policy and logs rather than untangling scattered ACLs. Updates to meet evolving regulations (SOX, GDPR, HIPAA) become policy changes instead of bespoke code rewrites.

Why is dynamic authorization essential for SaaS and multi-tenant platforms?

SaaS demands strict tenant isolation plus diverse, tenant-specific rules. PBAC lets vendors externalize access logic, support granular sharing/delegation, and enforce subscription tiers without hardcoding. It scales to millions of users/resources and adapts as customers, org structures, and features evolve.

How does dynamic authorization support IoT and AI use cases?

- IoT: Restricts device permissions to real needs, reduces lateral movement risk, and can make context-aware decisions at the edge (e.g., on-shift access, environment signals). - AI/GenAI: Governs agent actions on a user’s behalf and protects data in RAG systems so answers only use information the requester is authorized to see.

What are the business benefits of adopting dynamic authorization?

Organizations gain: - Lower operational costs: fewer manual permissions changes, fewer access tickets, smoother onboarding/offboarding. - Agility and innovation: faster launches, easier partner access, policy-driven feature rollouts. - Better customer experience: safe sharing, delegation, and tiered features. - Stronger security and compliance: consistent least-privilege enforcement and simpler audits. - Competitive differentiation: enterprise-ready, fine-grained control without custom code.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $33.59

you save $22.40 (40%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $33.59

you save $22.40 (40%)

eBook

pdf, ePub, online

$55.99 $33.59

you save $22.40 (40%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more