Dynamic Authorization you own this product

Adaptive access control

Phil Windley

MEAP began September 2025
Last updated January 2026
Publication in Summer 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy

7.1 Introducing Cedar

7.2 Policy structure: effect, scope, and conditions

7.2.1 Effect: what the policy does

7.2.2 Scope: when the policy applies

7.2.3 Conditions: under what circumstances

7.2.4 Putting it together

7.3 The PARC model: understanding policy evaluation

7.3.1 Cedar’s representation of PARC

7.3.2 Evaluating policies

7.3.3 Combining results from multiple policies

7.3.4 PARC as the bridge

7.4 Cedar’s unique design

7.4.1 Strong data types

7.4.2 Rich entity model

7.4.3 Clear namespace and type safety

7.4.4 What Cedar doesn’t include

7.4.5 Minimal operators with maximum impact

7.4.6 Safe and analyzable by design

7.4.7 Clean, simple, and powerful

7.5 Cedar’s distinctive strengths

7.6 Summary

8 Policy languages and frameworks

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary

9 Implementing policies with Cedar

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary

10 Policy as code: Effective authorization policies

10.1 Principles of effective authorization policies

10.1.1 Clarity and consistency

10.1.2 Least privilege

10.1.3 Separation of policy and data

10.1.4 Granularity and grouping

10.1.5 Stability across change

10.1.6 From principles to practice

10.2 Policy as code in practice

10.2.1 Schemas and validation

10.2.2 Versioning and review

10.2.3 Operational considerations

10.2.4 Continuous integration for policies

10.3 Testing policies effectively

10.4 Pulling it together

10.5 Summary

11 Authorization for APIs

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary

12 Authorization context

12.1 Policy Information Points (PIPs)

12.2 Entities: principals and resources

12.3 Signals and their delivery

12.3.1 What the signals are

12.3.2 How signals are delivered

12.3.3 ACME’s delivery choices

12.4 Freshness, caching, and revocation

12.4.1 The freshness spectrum

12.4.2 Caching strategies

12.4.3 Revocation and signal updates

12.4.4 ACME’s approach to freshness

12.5 Transmission and integrity of signals

12.5.1 How signals move

12.5.2 Protecting signals in transit

12.5.3 Limiting signal scope

12.6 Authorization context normalization

12.6.1 The normalization layer

12.6.2 Benefits of normalization

12.6.3 Extending SSF inside the organization

12.6.4 The broader lesson

12.7 Putting it all together

12.8 Summary

13 Using policy engines with existing systems

13.1 From internal tool to external service: ACME’s next chapter

13.2 Understanding the starting point

13.3 Identity and tenancy foundation for C³

13.3.1 From project IDs to tenants

13.3.2 Unified customer identity via OIDC

13.3.3 Device posture for ACME employees

13.4 Designing for externalized authorization

13.4.1 Platform and tenant PDPs

13.4.2 Deployment options for tenant PDPs

13.4.3 Authorization flow request

13.5 Policy enforcement points in the stack

13.5.1 Global enforcement: the ACME Gateway

13.5.2 Tenant-level enforcement: collaboration services

13.5.3 UI and client-side enforcement

13.5.4 Consistency through shared components

13.5.5 Operational trade-offs

13.5.6 Three layers of policy

13.5.7 Shared schema and type safety

13.5.8 Policy lifecycle and distribution

13.5.9 Governance and safety

13.5.10 Benefits of the layered model

13.6 Case studies inside ACME

13.6.1 Case 1: Cross-tenant legal review

13.6.2 Case 2: Support escalation

13.6.3 Case 3: Custom collaboration template

13.6.4 Case 4: Automated backup verification

13.6.5 Lessons from the pilots

13.7 Putting lessons into practice

13.7.1 Key insights

13.7.2 Integration checklist

13.7.3 Looking ahead

13.8 Summary

14 Policy governance

14.1 Why governance matters for authorization

14.2 The policy management lifecycle

14.2.1 Create

14.2.2 Review and approve

14.2.3 Deploy and use

14.2.4 Monitor

14.2.5 Update

14.2.6 Retire

14.3 Governance frameworks for policy management

14.3.1 The structure of governance

14.3.2 Roles and responsibilities

14.4 Identity Governance and Administration (IGA) and policy governance

14.5 Regulatory compliance and authorization

14.6 Best practices for policy governance

14.6.1 Establish clear ownership and accountability

14.6.2 Use shared templates and metadata

14.6.3 Integrate governance into existing workflows

14.6.4 Close the feedback loop

14.6.5 Align with identity governance

14.6.6 Measure and iterate

14.7 Governance as the foundation of trust

14.8 Summary

15 Security, zero trust, and authorization

16 Using verifiable credentials for authorization

17 AI in policy and authorization practice

18 Authorization in agentic AI

19 Conclusion

Appendix

Appendix A: End-to-end example with Amazon Verified Permissions

A.1 Prerequisites

A.2 Create a policy store

A.3 Upload the Cedar schema

A.4 Uploading policies to AVP

A.4.1 View policies

A.4.2 Owner can do everything policy

A.4.3 Employees can share documents that are delegatable

A.4.4 Forbid access from unmanaged devices

A.5 Defining entities

A.5.1 Employees

A.5.2 Customers

A.5.3 Teams

A.5.4 Document

A.5.5 Using the entity definitions

A.6 Evaluating authorization requests

A.6.1 Owner actions

A.6.2 Customer viewing

A.6.3 Employee sharing

A.6.4 Unmanaged devices

A.7 Wrapping up the end-to-end example

Overview

1 Why authorization matters: Securing access in a digital world

Modern systems rely on more than identifying who is at the door—they must decide what each entity can do once inside. This chapter argues that authorization is both a security safeguard and a product enabler, contrasting it with authentication and grounding the stakes in real-world failures like the Target breach, where weak boundaries and poor governance amplified a minor compromise into major loss. It reframes digital identity as the capability to recognize, remember, and relate entities, and elevates authorization as the “what” within those relationships, essential for multi-tenant cloud services and collaborative apps where selective, contextual sharing is fundamental.

Static methods such as file permissions, ACLs, and RBAC falter under today’s scale and complexity: they don’t handle dynamic context, spur role and list sprawl, are inefficient in distributed, multi-tenant environments, impede audits and compliance, and often result in over-permissioning. The chapter presents dynamic authorization as the remedy—making fine-grained, context-aware decisions at runtime—enabling zero trust’s per-request checks, just-in-time elevation, and nuanced cross-organization access. It introduces two complementary paradigms: Policy as Code (expressive, testable, versioned rules enforced by a general policy engine) and Policy as Data (relationship- or attribute-driven stores queried at decision time). Used together, they deliver scalability, flexibility, security, and transparency.

Beyond risk reduction, the chapter builds a business case: dynamic authorization lowers administrative overhead and access tickets, accelerates onboarding and offboarding, streamlines audits, and unlocks product agility—powering granular sharing, delegated access, and flexible pricing or feature tiers without hardcoded logic. It is increasingly vital across SaaS, zero trust initiatives, IoT ecosystems, evolving regulations, and AI applications that must honor entitlements. Treating authorization as a strategic capability—separating policy from app code and managing it like software and data—turns access control from a liability into a competitive advantage.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero-trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demands more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What’s the difference between authentication and authorization, and why do both matter?

Authentication proves who is making a request; authorization decides what that principal is allowed to do. Breaches often start with an authn failure (stolen credentials) but become catastrophic when weak authz lets attackers move or escalate. Secure systems need both strong identity proofing and precise, enforced access boundaries.

Why do traditional approaches like ACLs and RBAC fall short today?

Static lists and roles don’t scale to multi-tenant, distributed, context-rich environments. They’re hard to maintain, inflexible to context (time, device, location), opaque to audit, and prone to over-permissioning and role proliferation. As organizations grow and requirements change, this leads to inconsistent, risky access decisions.

What is dynamic authorization and how does PBAC work?

Dynamic authorization evaluates requests in real time using policies, rather than relying on pre-baked permissions. In Policy-Based Access Control (PBAC), a policy engine evaluates machine-readable rules against attributes of the principal, action, resource, and context, enabling fine-grained, auditable, and consistent decisions at scale.

What’s the difference between Policy as Code and Policy as Data?

Policy as Code represents rules as versioned, testable text (using a policy language), enabling CI/CD, reviews, and automated testing. Policy as Data represents access through stored relationships/attributes (e.g., owners, editors, folder hierarchies) that the engine queries at runtime. Most real systems use both: code for broad, reusable rules and data for per-resource relationships.

How does dynamic authorization enable zero trust security models?

Zero trust “assumes breach” and authorizes every request, not just session entry. PBAC evaluates contextual signals (device posture, location, time, risk, approvals) on each call, supports just-in-time access, and scales performance to keep user experience fast while enforcing least privilege continuously.

How does dynamic authorization support SaaS and multi-tenancy?

SaaS platforms must isolate tenant data while honoring diverse, tenant-specific rules. By externalizing access logic into policies, providers can offer flexible, fine-grained controls (often surfaced via UI or APIs), reduce custom code, and safely scale to millions of users and resources—like AWS’s policy-driven model or sharing features in collaboration apps.

What business benefits can organizations expect from dynamic authorization?

Lower admin overhead, fewer access-related support tickets, and faster onboarding/offboarding. Improved agility to launch products, enter regions, or enable partners with minimal code changes. Better customer experiences (personalized, shareable, tiered features) and stronger compliance—leading to competitive differentiation.

How does dynamic authorization improve auditability and regulatory compliance?

Policies are reviewable, versioned, and testable; decisions are logged for evidence. PBAC enforces least privilege and can incorporate contextual constraints (e.g., shift status, department, consent) to meet HIPAA, SOX, and GDPR. When regulations change, updating policies is faster and safer than refactoring hardcoded logic.

How does dynamic authorization apply to IoT and AI use cases?

IoT devices need context-aware, runtime decisions to limit blast radius and operate autonomously at the edge. AI apps (e.g., RAG) must ensure users only receive answers derived from data they’re entitled to see, and AI agents need explicit delegated permissions. Dynamic policies make these controls precise and enforceable.

How should an organization get started with dynamic authorization?

Map “who can do what on which resources” and centralize policy decisions. Decouple authz from application code, choose a policy engine, and integrate with identity and attribute stores. Pilot high-impact scenarios (e.g., privileged access, data sharing), add comprehensive logging, and iterate with tests and reviews through CI/CD.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $36.39

you save $19.60 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $36.39

you save $19.60 (35%)

eBook

pdf, ePub, online

$55.99 $36.39

you save $19.60 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more