Fine-grained authorization: what’s all the buzz about?

fine-grained wood
Photo by Jan Antonin Kolar on Unsplash

Defining fine-grained authorization

Authorization Model

Resource types


Roles: a rollup of permissions

Resource granularity

  • Tenant-level: permissions extend to all resources of that type (e.g. all jobs)
  • Organization-level: tenants consists of multiple organizations, and permissions extend to resources of that type within each organization (e.g. all engineering jobs)
  • Individual resources: the permissions for every resource can be set individually

Resource groups: a practical way to organize resources


How your customers map their users to your model

Assign users to roles (“RBAC”)

Map user attributes to permissions (“ABAC”)

Parting lessons

  • Define a permission for each distinct operation in your system (the cartesian product of verbs and nouns). This gives your authorization model room to evolve without any additional re-architecture.
  • Define some common roles that are “roll-ups” of these permissions. Most of your customers will prefer to use these roles, but allowing these roles to be augmented with additional permissions gives your customers the ability to start from defaults and customize to their environment.
  • Assuming your customers have their own identity provider that they want to source users from, give your customers the flexibility to map between their identity provider attributes and your roles and permissions.

What authorization requirements do your customers ask for?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store