Authorization model

An authorization model defines how systems decide what actions users or processes are allowed to perform. Common types include RBAC, ABAC, and PBAC, each offering different levels of flexibility and control.

An authorization model defines the rules and structure by which a system determines what actions a user, process, or device is allowed to perform. It goes beyond authentication (verifying identity) by answering the question: “What is this entity permitted to do?”

Authorization models ensure secure and controlled access to resources like files, APIs, databases, or application features. They are a cornerstone of information security and compliance.

Key Types of Authorization Models

  • Role-Based Access Control (RBAC)
    Access is granted based on predefined roles (e.g., Admin, Editor, Viewer). Users inherit permissions from their assigned roles.
    Example: In a CMS, only an Admin can delete articles, while an Editor can create and update content.

  • Attribute-Based Access Control (ABAC)
    Decisions are based on attributes of the user, resource, and environment (e.g., department, time of day, sensitivity level).
    Example: A finance report can only be accessed by users with the attribute department=Finance during working hours.

  • Policy-Based Access Control (PBAC)
    Access is managed via high-level policies written in a formal language. PBAC can include both roles and attributes, enabling fine-grained control.
    Example: “Managers can approve expenses up to $5000; higher amounts require Director approval.”

  • Discretionary Access Control (DAC)
    Resource owners decide who can access their resources.
    Example: A user sharing a private Google Doc with specific email addresses.

  • Mandatory Access Control (MAC)
    Access is determined by the system, often using security classifications.
    Example: Military systems where documents are labeled Confidential, Secret, or Top Secret.

Example in Practice

RBAC (simplified PHP example)

$userRole = "editor";

function canDeleteArticle($role) {
    return $role === "admin";
}

if (canDeleteArticle($userRole)) {
    echo "Article deleted";
} else {
    echo "Permission denied";
}

Here, only users with the admin role have delete permissions.

Benefits of Authorization Models

  • Security – Prevents unauthorized access to sensitive data.
  • Scalability – Easy to manage permissions in large organizations.
  • Compliance – Supports adherence to legal and regulatory standards (e.g., GDPR, HIPAA).
  • Flexibility – Different models allow fine-grained or broad access control depending on system needs.

Challenges

  • Complexity – Attribute- or policy-based systems can become hard to manage.
  • Overhead – Large-scale systems may require significant infrastructure to evaluate access decisions quickly.
  • Misconfiguration risk – Poorly defined roles or policies can unintentionally grant excessive privileges.

Conclusion

An authorization model defines how permissions are managed and enforced in a system. Whether role-based, attribute-based, or policy-based, choosing the right model is crucial for balancing security, usability, and compliance.

Back to Glossary