Fine-grained authorization: what’s all the buzz about?

fine-grained wood
Photo by Jan Antonin Kolar on Unsplash

Defining fine-grained authorization

Authorization Model

Resource types


Roles: a rollup of permissions

Resource granularity

  • Tenant-level: permissions extend to all resources of that type (e.g. all jobs)
  • Organization-level: tenants consists of multiple organizations, and permissions extend to resources of that type within each organization (e.g. all engineering jobs)
  • Individual resources: the permissions for every resource can be set individually

Resource groups: a practical way to organize resources


How your customers map their users to your model

Assign users to roles (“RBAC”)

Map user attributes to permissions (“ABAC”)

Parting lessons

  • Define a permission for each distinct operation in your system (the cartesian product of verbs and nouns). This gives your authorization model room to evolve without any additional re-architecture.
  • Define some common roles that are “roll-ups” of these permissions. Most of your customers will prefer to use these roles, but allowing these roles to be augmented with additional permissions gives your customers the ability to start from defaults and customize to their environment.
  • Assuming your customers have their own identity provider that they want to source users from, give your customers the flexibility to map between their identity provider attributes and your roles and permissions.

What authorization requirements do your customers ask for?




Welcome to modern authorization.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to regulate your #delivery service?

Turning up the Dial in 2022: The Next Generation of Technology and IT is Here

Advent of Code 2021 — Day 1

Participatory rules for Crodo IDO

Perfex — self-hosted customer relationship and project management software

Late Binding Variables: It’s a Trap!

Green Grocer Lab

Chapter 6: Tableau CRM Dashboard Building Basics 📊 📈 📉

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Welcome to modern authorization.

More from Medium

Better process tracking with the workflow engine

Scaling Real-Time Gaming Leaderboards with DynamoDB and Rockset

The Challenges of Using OPA for Application Authorization

Manage Complex Distributed Architecture with Gravitee Sharding Tags