Authorization and Permission Models

Authorization and permission models are where authenticated identity turns into actual capability. This chapter breaks access decisions down into their core parts, then walks through the main model families that organizations use in enterprise apps, cloud platforms, internal tools, and customer-facing products.

Read the chapter in order. The first lesson establishes the primitives of authorization: subject, action, resource, scope, and context. The second covers RBAC because it is still the most familiar model in many organizations. The third explains ABAC and why attribute quality is the hidden success factor. The fourth covers centralized policy and rule-based decisions, where hybrid models often emerge. The fifth covers resource-based permissions and delegation, which are common in document sharing, project ownership, and object-level product authorization.

Later chapters on groups, privileged access, cloud IAM, APIs, and tenant isolation all depend on the distinctions introduced here. If access control still feels like “users and roles,” Chapter 5 is where that model becomes much more precise.

In this section

• Permission Primitives: Actions, Resources, and Scope
  Authorization becomes understandable when permissions are modeled as actions performed by a subject against a resource within a defined scope and context.
• Role-Based Access Control (RBAC)
  RBAC groups permissions into roles that map to stable job or responsibility patterns, but careless role design quickly turns that simplicity into sprawl.
• Attribute-Based Access Control (ABAC)
  ABAC evaluates attributes of the subject, resource, and context to make more flexible decisions, but it works only when those attributes are trustworthy and governable.
• Policy-Based and Rule-Based Access Decisions
  Centralized policy and rule evaluation let systems express conditional access, approval requirements, and explicit deny logic without burying everything inside roles alone.
• Resource-Based Permissions and Delegation
  In resource-based models, permissions travel with the object or resource itself, which enables sharing and ownership patterns but requires careful delegation boundaries and review.