A curated list of information and best practices for authorization and access control.
- Overview
- Authentication vs. Authorization
- Access Control Models
- Security Concerns
- Best Practices
- Useful Articles & Tutorials
- Authz In Practice
- Videos & Talks
- NIST Authorization Definition - "The process of verifying that a requested action or service is approved for a specific entity".
- Authentication - Determines who someone or something is (identity).
- Authorization - Determines what someone or something can do in a system (privileges and permissions).
- Understanding Authentication, Authorization, and Encryption - Quick comparison of authn, authz and encryption.
- ABAC - Attribute based access control.
- DAC - Discretionary access control.
- GBAC - Graph based access control.
- MAC - Mandatory access control.
- OrBAC - Organization based access control.
- ReBAC - Relationship based access control.
- RBAC - Role based access control.
- OWASP API Security Top 10 2019 - List of the top 10 security risks for APIs.
- OWASP Top 10 for 2021 - List of the top 10 web application security risks. Broken access control is #1 on the list.
- Insecure Direct Object Reference
- Broken Function Level Authorization - API incorrectly relies on the client to use the correct access level making it susceptible to hackers.
- Building a Modern Zero Trust Strategy - Overview of 'zero trust' security by Newstack. (Need to enter email to download e-book)
- Retrospective on Coinbase Trading IDOR Vuln - Retrospective by the Coinbase team detailing remediation of an IDOR/validation bug found via bug bounty.
- Why Broken Access Control is the Most Severe Vulnerability - Overview of broken access control exploits including IDOR as well as best practices.
- Millions of people's data stolen because web devs forget to check access perms - CISA, NSA and the Australian Cyber Security Centre alert on the prevalence and danger of IDOR attacks.
- OWASP Authorization Cheat Sheet & Recommendations - Authz overview and recommendations for best practices.
- Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
- As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
- Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
- Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.
- API Tokens: A Tedious Survey - An overview of different approaches to API security.
- Ask HN: Best Practices for Web Authorization? (2016) - HN discussion about application authorization best practices.
- Authorization in a Microservices World - Covers approaches to authorization in microservices.
- AWS - Authz & Access Control for SaaS Multi-tenant Apps - How-to/implementation guide for authz in multi-tenant apps using AWS.
- Best Practices for Building Secure API Keys - Covers hashing, storage and key retrieval.
- How To Structure Permissions In A SaaS App - Talks about approaches to RBAC, ACLs etc in SaaS apps.
- Implementing Role Based Access Control - How-to/implementation guide for basic RBAC in an application.
- Permissions Systems: Category Notes - An overview of the permissions systems landscape.
- Web App Access Control Design - A presentation highlighting best practices for implementing access control in web apps.
- What Do Authentication and Authorization Mean in Zero Trust? - How to think about Authn and Authz within a Zero Trust Architecture.
- Feature Flags and Authorization Abstract the Same Concept - A blog post comparing the many similarities and subtle differences between feature flagging and authorization.
- What's the Best Authorization Framework? None At All - Opinionated blog post detailing Betterment's approach to authz.
- GitHub Secret Scanning - How GitHub scans repos to search for exposed secrets.
- Open Policy Agent - A policy-based framework for authorization and access control.
- Stripe API Docs - Stripe's approach to issuing and managing API keys securely.
- XACML - Standard that defines the "Extensible Access Control Markup Language," a declarative fine-grained, attribute-based access control policy language.
- Intuit AuthZ - Post detailing Intuit's implementation of an XACML-based authz service.
- Google Zanzibar - Google's consistent, global authorization system.
- Why Google Zanzibar Shines at Building Authorization - A blog post detailing why Google Zanzibar is especially well suited to solving application authorization.
- Airbnb Himeji - Based on Zanzibar.
- Carta AuthZ - Also based on Zanzibar.
- Securing Apache Airflow UI With DAG Level Access - How Lyft set up fine-grained (DAG-level) access control on top of Apache Airflow.
- Authorization Solutions for Microservices Architecture - How AppsFlyer approaches authz in their microservices architecture.
- Reddit - Evolving Authorization for Our Advertising Platform - Summary of Reddit's internal fine-grained authz system built for the advertising platform.
- Authorization at LinkedIn’s Scale - Summary of LinkedIn's high-performance authz system used within its microservices architecture.
- Attribute-Based Access Control at Uber - Summary of Uber's internal, centralized ABAC system used within its microservices architecture.
- Learnings from Building a Simple Authorization System (ABAC) - Ubicloud's learnings from building a simple ABAC authz system.
- How We Built a Custom Permissions DSL at Figma - Summary of how Figma built a custom permissions DSL for their product.