Dynamic Authorization you own this product

Adaptive access control

Phil Windley

MEAP began September 2025
Last updated September 2025
Publication in Summer 2026 (estimated)

ISBN 9781633435179
400 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development

table of content

1 Why authorization matters: Securing access in a digital world

1.1 Digital identity

1.2 Challenges with traditional approaches to authorization

1.2.1 Scalability

1.2.2 Flexibility

1.2.3 Maintainability

1.2.4 Inefficiency

1.2.5 Auditability

1.2.6 Security

1.2.7 Consistency and transparency

1.2.8 Dynamic authorization addresses these challenges

1.3 Authorization matters

1.3.1 Software as a Service

1.3.2 Zero trust security models

1.3.3 The Internet of Things

1.3.4 Heightened regulatory environment

1.3.5 Artificial intelligence

1.4 Dynamic authorization: Policy as Code and Policy as Data

1.4.1 Policy as Code: Defining access logic in a programmable way

1.4.2 Policy as Data: Storing and managing access rules dynamically

1.4.3 Dynamic authorization needs both

1.5 The business case for dynamic authorization

1.5.1 Reducing operational costs

1.5.2 Enabling business agility and innovation

1.5.3 Improving customer experience

1.5.4 Strengthening security and compliance

1.5.5 Competitive differentiation

1.5.6 A business necessity

1.6 The strategic imperative of dynamic authorization

1.7 Summary

2 Understanding digital identity

2.1 What is digital identity?

2.2 The problems of digital identity

2.2.1 The proximity problem

2.2.2 The interoperability problem

2.2.3 The flexibility problem

2.2.4 The privacy problem

2.2.5 The consent problem

2.2.6 The scale problem

2.2.7 How identity problems affect authorization

2.3 Identity and digital relationships

2.3.1 Types of digital relationships

2.3.2 Digital relationship properties

2.4 Naming and discovery

2.4.1 The role of names in digital identity

2.4.2 Tradeoffs in identity naming

2.4.3 Namespaces and their role in identity

2.5 Identity system models

2.5.1 Centralized identity: single authority, high control

2.5.2 Federated identity: the backbone of modern identity systems

2.5.3 Decentralized identity: shifting control to users

2.6 Trust and confidence

2.6.1 The difference between trust and confidence

2.6.2 Trust and confidence in digital relationships

2.6.3 Technical confidence in identity systems

2.6.4 The limits of technical confidence

2.7 Privacy, authenticity, and confidentiality

2.7.1 Distinguishing privacy from confidentiality

2.7.2 Managing tradeoffs

2.7.3 Functional privacy

2.8 From identity to authentication

2.9 Summary

3 Authentication: Who are you?

3.1 Terminology

3.2 Authentication preserves relationship integrity

3.3 Digital relationship lifecycles

3.3.1 Enrollment (discover and co-create)

3.3.2 Propagate

3.3.3 Use

3.3.4 Update

3.3.5 Terminate

3.4 Enrollment

3.4.1 Self-service vs. admin-driven enrollment

3.4.2 Identity proofing and assurance

3.4.3 Relationship context and boundaries

3.4.4 Risk-based boundaries, attribute lifetimes, and re-proofing

3.4.5 The role of credentials and authentication factors

3.5 Authentication factors

3.5.1 Primary factors

3.5.2 Contextual factors

3.5.3 Using authentication factors

3.6 Authentication methods

3.6.1 Identifier-only

3.6.2 Token-based

3.6.3 Identifier with authentication factors

3.6.4 Challenge-response

3.7 Attack models for authentication

3.7.1 Authentication assurance levels

3.7.2 Authentication strength and usability

3.8 Connecting authentication and authorization

3.8.1 Identity as context

3.8.2 Looking ahead

3.9 Summary

4 Authorization: What can you do?

4.1 Authorization deserves its own focus

4.2 From relationships to access control

4.3 Speaking authorization: key concepts and terms

4.3.1 The PARC model

4.3.2 Understanding the language of access

4.4 Authorization reference architecture

4.4.1 How access decisions are made

4.4.2 Where policies come from

4.5 Architecture patterns in practice

4.5.1 Embedded PEPs in applications and gateways

4.5.2 Centralized PDPs

4.5.3 Distributing authorization decisions

4.5.4 Choosing the right pattern

4.5.5 Why this separation matters

4.6 From architecture to models

4.7 Summary

5 Static authorization models

5.1 Access Control Lists (ACL)

5.1.1 How ACLs work

5.1.2 Mapping ACLs onto the authorization reference architecture

5.1.3 Strengths and limitations of ACLs

5.1.4 Where ACLs still make sense

5.1.5 When ACLs fall short

5.2 Role-Based Access Control (RBAC)

5.2.1 How RBAC works

5.2.2 Mapping RBAC onto the authorization reference architecture

5.2.3 Strengths and limitations of RBAC

5.2.4 Where RBAC still makes sense

5.2.5 Where RBAC falls short

5.3 Beyond static authorization

5.4 Summary

6 Dynamic authorization models

6.1 Relationship-based access control

6.1.1 How ReBAC works

6.1.2 Mapping ReBAC onto the authorization reference architecture

6.1.3 Strengths and limitations of ReBAC

6.1.4 Where ReBAC makes sense

6.1.5 When ReBAC falls short

6.2 Attribute-based access control

6.2.1 How ABAC works

6.2.2 Mapping ABAC onto the authorization reference architecture

6.2.3 Strengths and limitations of ABAC

6.2.4 Where ABAC makes sense

6.2.5 When ABAC falls short

6.3 A hybrid approach: Policy-based access control

6.3.1 Policy as data

6.3.2 Policy as code

6.3.3 Beyond one-size-fits-all

6.4 Summary

7 The building blocks of policy: a Cedar primer

8 Other policy languages and frameworks

9 Implementing policies with Cedar

10 Policy as code: An introduction

11 Designing effective authorization policies

12 Authorization for APIs

13 Authorization context

14 Verifiable credentials and authorization

15 Testing and validating policies

16 Using policy engines with existing systems

17 Challenges and considerations

18 Policy governance

19 Security, zero trust, and authorization

20 Authorization and artificial intelligence

21 Conclusion

Appendix

Appendix A: Using Cedar

Overview

1 Why authorization matters: Securing access in a digital world

This chapter introduces why authorization—deciding what an authenticated entity can do—has become a strategic necessity in today’s digital landscape. It contrasts authentication (who) with authorization (what), using the Target breach to show how weak boundaries, poor visibility, and slow response can turn a minor compromise into a crisis. Beyond security, it highlights that modern cloud and collaborative products fundamentally depend on fine-grained authorization to enable sharing, delegation, and multi-tenant isolation, and notes the industry shift from identity-centric IAM to access management aligned with zero trust principles.

The text critiques traditional static methods (Unix permissions, ACLs, RBAC) for failing at scale, context, maintainability, efficiency, auditability, and consistency—especially in distributed, multi-tenant, or regulated environments. It presents dynamic, policy-based access control (PBAC) as the remedy, decoupling access logic from application code and evaluating decisions at runtime with rich context (time, device posture, location, risk, approvals). Two complementary representations are introduced: Policy as Code (versioned, testable, reusable rules enforced by a policy engine) and Policy as Data (dynamic, relationship- or attribute-driven entries stored and queried at runtime). Used together, they deliver scalable, flexible, auditable, and secure authorization.

Finally, the chapter builds the business case: dynamic authorization reduces administrative overhead and support tickets, streamlines onboarding/offboarding, and lowers risk; increases agility for new products, partnerships, and regulatory changes; improves customer experiences like secure sharing, granular tenant controls, and tiered features; and strengthens compliance and least-privilege enforcement with clear audit trails. With SaaS proliferation, zero trust adoption, IoT growth, intensifying regulations, and AI-enabled agents, dynamic authorization becomes a competitive differentiator and a strategic imperative for secure, scalable digital operations.

A relationship graph representing access to a Google document. Rather than use static ACLs, this model captures roles (like Owner, Editor, Viewer) as first-class relationships between users and resources. The graph also models hierarchical relationships (such as parent folders), enabling more flexible, general-purpose authorization logic that can be queried and evaluated dynamically.

As an organization grows, the number of access policies tends to increase faster than linearly. Though a small organization might manage with a simple, flat set of policies, larger organizations face compounding complexity due to team structures, regional compliance, and overlapping responsibilities, leading to superlinear policy growth.

Summary

Poor access control can lead to severe security breaches, as seen in the Target breach, where attackers exploited weak authorization to access sensitive systems.
Authorization is not just about security; it also enables key features in modern cloud applications, such as document sharing and multi-tenant access control.
Traditional authorization methods like ACLs and RBAC are static and struggle with scalability, flexibility, maintainability, efficiency, auditability, and security.
Dynamic authorization overcomes these challenges by using policies to make real-time, context-aware access decisions.
Policy-based access control (PBAC) enables fine-grained authorization by externalizing access control logic, making it dynamic and adaptable to changing conditions.
The shift toward zero trust security models, SaaS applications, IoT, regulatory compliance, and AI-driven applications demand more flexible and scalable access control, making dynamic authorization essential.
Policies can be represented as code or data, enabling both structured rule enforcement and flexible, real-time access adjustments.
Treating policy as code allows version control, testing, and automation, while policy as data supports fine-grained, user-defined access controls.
Organizations adopting dynamic authorization benefit from reduced operational costs, improved agility, enhanced security, and better customer experiences.
Businesses can use dynamic authorization as a competitive advantage, enabling new product capabilities, faster compliance adaptation, and stronger security.
Authorization is a strategic investment, not just a security measure—organizations that adopt policy-based access control gain efficiency, scalability, and security.

FAQ

What’s the difference between authentication and authorization, and why do both matter?

Authentication verifies who is making a request; authorization controls what that authenticated entity is allowed to do. Strong authentication without strong authorization still leaves critical systems exposed. The Target breach shows this clearly: attackers authenticated as a vendor but then accessed systems far beyond the vendor’s legitimate scope because authorization boundaries were weak.

What went wrong in the 2013 Target breach from an authorization standpoint?

The attackers used stolen vendor credentials to enter Target’s network and then moved laterally to point-of-sale systems. Weak authorization boundaries, poor visibility into who could access what, and slow response to alerts turned a limited compromise into a massive breach. Properly scoped, least-privilege access and dynamic controls could have contained the blast radius.

Why are static models like ACLs, groups, and basic RBAC insufficient today?

They don’t scale well, struggle to adapt to changing context, are costly to maintain, and are hard to audit. Over time they lead to permission sprawl and inconsistent enforcement, especially in multi-tenant, distributed environments. Modern systems need fine-grained, context-aware, and auditable decisions made at runtime.

What is dynamic authorization and how does PBAC work?

Dynamic authorization evaluates access decisions at runtime using policies, rather than relying on pre-baked permissions or code. Policy-Based Access Control (PBAC) decouples access logic from applications and uses a policy engine to allow or deny requests. This enables fine-grained, context-aware, and consistent enforcement across services.

How do Policy as Code and Policy as Data differ, and when should I use each?

Policy as Code expresses general rules in a programmable, version-controlled form and is great for broad, reusable, context-aware policies. Policy as Data stores relationships and attributes (like document owners, editors, and folder hierarchies) that vary per resource and are set via UIs or APIs. Most real systems benefit from both: code for global rules and data for dynamic, per-entity relationships.

How does dynamic authorization enable zero trust security models?

Zero trust assumes breach and authorizes every request, not just initial login. PBAC evaluates context (device posture, time, location, risk signals, role, consent) at runtime to allow or deny actions. This fine-grained, performant decisioning is essential to enforcing least privilege continuously.

What business benefits does dynamic authorization provide?

It reduces operational costs by automating access decisions, cutting manual permissions work, and lowering support tickets. It improves agility by enabling rapid policy changes for new products, partners, and regulations. It also enhances customer experience, strengthens compliance, and creates competitive differentiation through flexible, secure features.

How does dynamic authorization support SaaS and multi-tenant architectures?

SaaS requires strict tenant isolation plus granular, tenant-specific rules for different users and roles. Externalizing access logic into policies lets vendors scale securely, adapt to diverse customer requirements, and expose safe self-service controls. This avoids hardcoding and enables consistent enforcement across services.

How does dynamic authorization help with regulatory compliance (e.g., GDPR, HIPAA, SOX)?

Policies can encode least privilege, purpose limitations, consent, time-bound access, and separation of duties. Centralized policy and decision logs make auditing “who accessed what and why” practical. When regulations change, updating policies is faster and safer than rewriting application code or manually fixing lists.

What’s changing with AI and IoT that makes authorization more important?

AI agents and RAG-based apps must restrict outputs to data a user is entitled to see, requiring fine-grained, context-aware policy checks. IoT devices operate at the edge and can become attack vectors; dynamic authorization limits their permissions and reacts to real-time conditions. Both domains demand runtime decisions that static models can’t handle reliably or at scale.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$55.99 $36.39

you save $19.60 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$55.99 $36.39

you save $19.60 (35%)

eBook

pdf, ePub, online

$55.99 $36.39

you save $19.60 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more