Dynamic Authorization you own this product

Adaptive access control

Phil Windley

MEAP began September 2025
Last updated March 2026
Publication in Summer 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

resources: Book forum

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Managing relationships through digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy

7.1 Introducing Cedar

7.2 Policy structure: effect, scope, and conditions

7.2.1 Effect: what the policy does

7.2.2 Scope: when the policy applies

7.2.3 Conditions: under what circumstances

7.2.4 Putting it together

7.3 The PARC model: understanding policy evaluation

7.3.1 Cedar’s representation of PARC

7.3.2 Evaluating policies

7.3.3 Combining results from multiple policies

7.3.4 PARC as the bridge

7.4 Cedar’s unique design

7.4.1 Strong data types

7.4.2 Rich entity model

7.4.3 Clear namespace and type safety

7.4.4 What Cedar doesn’t include

7.4.5 Minimal operators with maximum impact

7.4.6 Safe and analyzable by design

7.4.7 Clean, simple, and powerful

7.5 Cedar’s distinctive strengths

7.6 Summary

8 Policy languages and frameworks

8.1 XACML: the first policy language standard

8.1.1 A XACML simple example

8.1.2 Applying the PARC model to XACML

8.1.3 Legacy and lessons

8.2 OPA and Rego: Policy for cloud-native systems

8.2.1 Rego policies example

8.2.2 Comparing Rego with Cedar

8.2.3 Applying the PARC model to OPA and Rego

8.2.4 Strengths and limitations

8.3 OpenFGA

8.3.1 How OpenFGA works

8.3.2 Document access example

8.3.3 Applying the PARC Model to OpenFGA

8.4 AWS IAM

8.4.1 How IAM works

8.4.2 Example: Confidential Document Access

8.4.3 Applying the PARC model to AWS IAM

8.5 Comparing policy languages

8.5.1 XACML

8.5.2 OPA/Rego

8.5.3 OpenFGA

8.5.4 AWS IAM

8.5.5 Cedar

8.5.6 From strengths to selection

8.6 Summary

9 Implementing policies with Cedar

9.1 From primer to practice

9.2 Modeling your schema first

9.2.1 ACME’s core entities and actions

9.2.2 How schema shapes policies

9.2.3 Updating schema as your system evolves

9.3 Authoring ACME’s core policies

9.3.1 Permit view if on the right team

9.3.2 Owner can do all

9.3.3 Manager of owner can view and edit

9.4 Where does Cedar find data about entities?

9.5 Applying Cedar’s policy patterns

9.5.1 Discretionary permissions

9.5.2 Membership permissions

9.5.3 Relationship permissions

9.5.4 Mixing patterns for PBAC

9.6 Layering global constraints

9.7 Using policy templates and overrides

9.7.1 Templates

9.7.2 Overrides

9.8 Mapping requests to Cedar evaluations

9.9 From concept to policy

9.10 Summary

10 Policy as code: Effective authorization policies

10.1 Principles of effective authorization policies

10.1.1 Clarity and consistency

10.1.2 Least privilege

10.1.3 Separation of policy and data

10.1.4 Granularity and grouping

10.1.5 Stability across change

10.1.6 From principles to practice

10.2 Policy as code in practice

10.2.1 Schemas and validation

10.2.2 Versioning and review

10.2.3 Operational considerations

10.2.4 Continuous integration for policies

10.3 Testing policies effectively

10.4 Pulling it together

10.5 Summary

11 Authorization for APIs

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary

12 Authorization context

12.1 Policy Information Points (PIPs)

12.2 Entities: principals and resources

12.3 Signals and their delivery

12.3.1 What the signals are

12.3.2 How signals are delivered

12.3.3 ACME’s delivery choices

12.4 Freshness, caching, and revocation

12.4.1 The freshness spectrum

12.4.2 Caching strategies

12.4.3 Revocation and signal updates

12.4.4 ACME’s approach to freshness

12.5 Transmission and integrity of signals

12.5.1 How signals move

12.5.2 Protecting signals in transit

12.5.3 Limiting signal scope

12.6 Authorization context normalization

12.6.1 The normalization layer

12.6.2 Benefits of normalization

12.6.3 Extending SSF inside the organization

12.6.4 The broader lesson

12.7 Putting it all together

12.8 Summary

13 Using policy engines with existing systems

13.1 From internal tool to external service: ACME’s next chapter

13.2 Understanding the starting point

13.3 Identity and tenancy foundation for C³

13.3.1 From project IDs to tenants

13.3.2 Unified customer identity via OIDC

13.3.3 Device posture for ACME employees

13.4 Designing for externalized authorization

13.4.1 Platform and tenant PDPs

13.4.2 Deployment options for tenant PDPs

13.4.3 Authorization flow request

13.5 Policy enforcement points in the stack

13.5.1 Global enforcement: the ACME Gateway

13.5.2 Tenant-level enforcement: collaboration services

13.5.3 UI and client-side enforcement

13.5.4 Consistency through shared components

13.5.5 Operational trade-offs

13.5.6 Three layers of policy

13.5.7 Shared schema and type safety

13.5.8 Policy lifecycle and distribution

13.5.9 Governance and safety

13.5.10 Benefits of the layered model

13.6 Case studies inside ACME

13.6.1 Case 1: Cross-tenant legal review

13.6.2 Case 2: Support escalation

13.6.3 Case 3: Custom collaboration template

13.6.4 Case 4: Automated backup verification

13.6.5 Lessons from the pilots

13.7 Putting lessons into practice

13.7.1 Key insights

13.7.2 Integration checklist

13.7.3 Looking ahead

13.8 Summary

14 Policy governance

14.1 Why governance matters for authorization

14.2 The policy management lifecycle

14.2.1 Create

14.2.2 Review and approve

14.2.3 Deploy and use

14.2.4 Monitor

14.2.5 Update

14.2.6 Retire

14.3 Governance frameworks for policy management

14.3.1 The structure of governance

14.3.2 Roles and responsibilities

14.4 Identity Governance and Administration (IGA) and policy governance

14.5 Regulatory compliance and authorization

14.6 Best practices for policy governance

14.6.1 Establish clear ownership and accountability

14.6.2 Use shared templates and metadata

14.6.3 Integrate governance into existing workflows

14.6.4 Close the feedback loop

14.6.5 Align with identity governance

14.6.6 Measure and iterate

14.7 Governance as the foundation of trust

14.8 Summary

15 Security, zero trust, and authorization

15.1 Rethinking security for the Zero Trust era

15.2 Authorization is the foundation of Zero Trust

15.3 Policies for zero trust

15.3.1 Foundational security policies

15.3.2 Shared operational policies

15.3.3 Application policies

15.3.4 Putting the layers together

15.4 Using policy to control access

15.5 Measuring progress toward zero trust

15.5.1 Policy coverage

15.5.2 Signal quality

15.5.3 Decision consistency

15.5.4 Reduced perimeter reliance

15.5.5 Decline in authorization exceptions

15.6 Beyond security: the organizational payoff

15.6.1 Better alignment between teams

15.6.2 Improved auditability and incident response

15.6.3 Greater agility for product development

15.6.4 Improved governance and transparency

15.6.5 A more resilient security posture

15.6.6 More reliable access for legitimate users

15.7 The full payoff

15.8 Summary

16 Using verifiable credentials for authorization

16.1 Why authorization needs verifiable credentials

16.2 How verifiable credentials work

16.2.1 Credential presentation

16.2.2 Example: Contractor access using verifiable credentials

16.3 Trusting credential issuers

16.3.1 Example: ACME onboards AuditsRUs as a trusted issuer

16.3.2 Building and maintaining ACME’s trust store

16.4 Credential freshness, revocation, and assurance

16.5 Requesting verifiable credential presentations

16.6 Using verifiable credentials with policies

16.6.1 Allow access only to auditors from accredited firms

16.6.2 Require current certification from an accredited authority

16.7 Protocols and ecosystem integration

16.8 Applying verifiable credentials across ACME’s products

16.8.1 Supplier portal: Representing supplier authority across multi-tier relationships

16.8.2 Clinic integration: Clinicians from external organizations

16.8.3 Field technicians: Employer-issued scope-of-work credentials

16.8.4 Customer Collaboration Cloud (C³): Project-scoped roles in a multi-tenant platform

16.9 Operational and governance considerations

16.9.1 Deciding when to use verifiable credentials

16.9.2 Failure modes and fallback paths

16.9.3 Governance responsibilities

16.9.4 Rolling out verifiable credentials incrementally

16.10 Summary

17 AI in policy practice

18 Authorization in agentic AI

19 Conclusion

Appendix

Appendix A: End-to-end example with Amazon Verified Permissions

A.1 Prerequisites

A.2 Create a policy store

A.3 Upload the Cedar schema

A.4 Uploading policies to AVP

A.4.1 View policies

A.4.2 Owner can do everything policy

A.4.3 Employees can share documents that are delegatable

A.4.4 Forbid access from unmanaged devices

A.5 Defining entities

A.5.1 Employees

A.5.2 Customers

A.5.3 Teams

A.5.4 Document

A.5.5 Using the entity definitions

A.6 Evaluating authorization requests

A.6.1 Owner actions

A.6.2 Customer viewing

A.6.3 Employee sharing

A.6.4 Unmanaged devices

A.7 Wrapping up the end-to-end example

Appendix B: Step-by-step AI-assisted policy authoring

B.1 Why AI assistance is useful in policy authoring

B.2 Recap: the ACME policy environment

B.3 Getting set up: the companion repository and Cursor

B.4 Providing the right context to the AI

B.5 A human-in-the-loop authoring workflow

B.6 Steps for modifying a policy set to achieve a specific outcome

B.7 Guardrails and review checklist

B.8 Key takeaways

Overview

1 Why authorization matters: Securing access in a digital world

Authorization sits at the heart of secure and usable digital systems. The chapter opens with the 2013 Target breach to illustrate how weak authorization boundaries—distinct from authentication—can turn a minor compromise into a major incident. Beyond security, authorization enables core product capabilities in modern cloud applications: sharing and collaboration in services like document platforms, multi-tenant isolation and control in hyperscale clouds, and fine-grained feature access. Framed within digital identity’s purpose to recognize, remember, and relate entities, the chapter positions authorization as the mechanism that determines “what” an authenticated principal may do, and argues it must be treated as an architectural concern rather than ad hoc code.

Traditional static methods—permissions, groups, roles, and ACLs—struggle with scale, context, and change: they are hard to maintain, inflexible in dynamic scenarios, opaque to audit, and prone to over-permissioning. Dynamic, policy-based authorization (PBAC) addresses these gaps by externalizing access logic, enabling consistent, fine-grained, context-aware decisions at runtime and supporting zero trust practices. The chapter introduces two complementary representations: Policy as Code (machine-readable, testable, and versioned rules evaluated by a general-purpose engine) and Policy as Data (structured relationships and attributes, such as ownership and sharing graphs, evaluated dynamically). Used together, they combine broad, reusable rules with rich, evolving relationship data to deliver scalable, auditable control across SaaS, IoT, regulated workloads, and AI-assisted applications.

Treating authorization as a first-class architectural element yields tangible business outcomes. Dynamic authorization reduces operational costs (fewer manual changes, cleaner onboarding/offboarding, lower support burden), improves agility (rapid policy changes instead of code rewrites), enhances customer experience (personalized, delegated, and tiered access), and strengthens security and compliance (least privilege, continuous evaluation, and clearer auditability). The chapter concludes by framing dynamic authorization as a strategic imperative for multi-tenant, distributed, and AI-enabled systems, previewing the book’s exploration of models, languages, enforcement patterns, and governance needed to build flexible, testable, and business-aligned authorization at scale.

Embedding access logic throughout application code (left) creates tight coupling. Externalizing authorization into a separate component (right) makes access policies explicit, decouples decision-making from application behavior, and enables scalable, auditable access control.

Dynamic authorization can represent policy in two complementary ways. On the left, Policy as Code stores machine-readable policies in a repository that the access logic evaluates at runtime. On the right, Policy as Data stores relationships and attributes in a structured data store that the same access logic uses to determine decisions. Both approaches externalize policy from the application while supporting different kinds of flexibility.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero-trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demands more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What’s the difference between authentication and authorization?

Authentication verifies who is making a request; authorization decides what that entity is allowed to do. In digital identity terms: systems recognize (authentication), remember (accounts), and relate/react (authorization) to entities.

What did the Target 2013 breach reveal about authorization failures?

Attackers used a vendor’s phished credentials and moved beyond intended access due to weak boundaries. Limited vendor access wasn’t sufficiently constrained, alerts weren’t acted on, and least privilege and segmentation were missing—turning a small foothold into a major breach.

Why do traditional models like ACLs and RBAC break down at scale?

They’re static. As users, resources, and contexts grow, lists and roles proliferate, become hard to maintain, don’t adapt to context (time, device, location), are difficult to audit, and often leave excess permissions that harm security and consistency.

What is dynamic, policy-based authorization (PBAC)?

PBAC externalizes access logic into policies evaluated at runtime by a policy engine. It uses attributes and context to make fine-grained, consistent, and auditable decisions, decoupling authorization from application code for flexibility and scale.

How do Policy as Code and Policy as Data differ, and when should I use each?

Policy as Code expresses rules as versioned, testable text—great for broad, reusable constraints (e.g., device posture, risk, departments). Policy as Data stores relationships and attributes (e.g., who can edit a document) for per-resource decisions. Many systems combine both: rules that query live relationship/attribute data.

How does dynamic authorization enable zero-trust security?

Zero trust assumes breach and evaluates every request, not just session start. PBAC enforces least privilege and just-in-time access using contextual signals (identity, device, time, location, risk) with high performance and consistency.

Why is dynamic authorization essential for SaaS and multi-tenant apps?

Multi-tenancy demands strict tenant isolation plus diverse, fine-grained intra-tenant rules. PBAC lets providers encode complex, per-tenant access without hardcoding, scale to millions of users, and expose safe admin controls or customer-managed policies.

How does dynamic authorization improve auditability and compliance?

Policies are explicit and version-controlled, and decisions are logged, making “who can access what” answerable. Updating rules for evolving regulations (e.g., HIPAA, SOX, GDPR, consent) becomes a policy change instead of brittle code or list rewrites.

What are the business benefits of investing in dynamic authorization?

Lower admin overhead and fewer access tickets; faster onboarding/offboarding; agility to launch products and partnerships; better customer experiences and monetization; stronger security posture and reduced compliance risk—often a competitive differentiator.

How do IoT and AI agents change authorization requirements?

Devices and agents act autonomously and at the edge, requiring context- and risk-aware, delegated access with clear consent and guardrails. PBAC supports real-time, fine-grained decisions for heterogeneous environments and AI use cases like RAG without leaking sensitive data.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $33.59

you save $22.40 (40%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $33.59

you save $22.40 (40%)

eBook

pdf, ePub, online

$55.99 $33.59

you save $22.40 (40%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more