A curated list of information and resources about authorization.
Contributions welcome! Please see the contribution guide.
- Overview
- Authentication vs. Authorization
- Access Control Models
- Security Concerns
- Best Practices
- Useful Articles & Tutorials
- Authz In Practice
- Videos & Talks
- Books
Authorization / Authorisation / Authz - "the process of verifying that a requested action or service is approved for a specific entity" [NIST]
- Authentication - Determines who someone or something is (identity)
- Authorization - Determines what someone or something can do in a system (permissions)
- Understanding Authentication, Authorization, and Encryption
- Role Based Access Control (RBAC)
- Attribute Based Access Control (ABAC)
- Graph Based Access Control (GBAC)
- Relationship Based Access Control (ReBAC)
- Organization Based Access Control (OrBAC)
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Broken access control is #1 on OWASP's Top 10 for 2021
- Insecure Direct Object Reference
- OWASP Recommendations
- Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
- As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
- Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
- Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.
- Web App Access Control Design - A presentation highlighting best practices for implementing access control in web apps.
- Ask HN: Best Practices for Web Authorization? (2016)
- Implementing Role Based Access Control
- AWS - Authz & Access Control for SaaS Multi-tenant Apps
- Permissions Systems: Category Notes - An overview of the permissions systems landscape.
- How Netflix Is Solving Authorization Across Their Cloud (2017)
- Hashicorp - Microservice Authentication and Authorization (2019)
- Contributions welcome!