How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
API Authorisation determines what authenticated users or applications are allowed to do within an API system. While authentication verifies identity, authorisation controls access to specific resources and operations based on permissions, roles, and policies.
Core Concepts
Access Control Models
Different approaches to controlling API access:
- Role-Based Access Control (RBAC): Access based on user roles
- Attribute-Based Access Control (ABAC): Access based on multiple attributes
- Discretionary Access Control (DAC): Resource owners control access
- Mandatory Access Control (MAC): System-enforced access controls
Authorization Components
Key elements of API authorisation systems:
- Subjects: Users, applications, or services requesting access
- Resources: API endpoints, data objects, or operations
- Actions: Specific operations like read, write, delete, execute
- Context: Environmental factors like time, location, device
Implementation Approaches
Token-Based Authorisation
Using tokens to convey authorisation information:
- OAuth 2.0 Scopes: Granular permissions encoded in access tokens
- JWT Claims: Authorization information embedded in JSON Web Tokens
- SAML Assertions: XML-based authorization statements
- Custom Token Formats: Organization-specific authorization tokens
Policy-Based Authorisation
Using policies to define access rules:
- XACML Policies: eXtensible Access Control Markup Language
- REGO Policies: Open Policy Agent policy language
- JSON Policies: Simplified JSON-based policy definitions
- Custom Policy Engines: Organization-specific policy systems
API Gateway Authorisation
Centralized authorisation at the API gateway:
- Upstream Authorization: Gateway validates permissions before forwarding requests
- Policy Enforcement Points: Centralized enforcement of authorization policies
- Token Validation: Gateway validates and interprets authorization tokens
- Context Enrichment: Adding contextual information for authorization decisions
Granular Access Control
Resource-Level Authorisation
Controlling access to specific API resources:
- Endpoint Permissions: Different permissions for different API endpoints
- HTTP Method Controls: Separate permissions for GET, POST, PUT, DELETE
- Resource Ownership: Access based on resource ownership
- Hierarchical Resources: Nested resource permission inheritance
Data-Level Authorisation
Controlling access to specific data elements:
- Field-Level Security: Permissions for individual data fields
- Row-Level Security: Access to specific database rows or records
- Data Classification: Access based on data sensitivity levels
- Dynamic Filtering: Real-time filtering based on user permissions
Operation-Level Authorisation
Controlling specific operations within APIs:
- Business Function Access: Permissions for specific business operations
- Administrative Functions: Separate permissions for admin operations
- Bulk Operations: Special permissions for batch or bulk operations
- Sensitive Operations: Enhanced controls for critical operations
Advanced Features
Dynamic Authorisation
Real-time authorization decisions based on current context:
- Contextual Factors: Time, location, device, network information
- Risk-Based Authorization: Authorization based on calculated risk
- Adaptive Permissions: Permissions that change based on behavior
- Just-In-Time Access: Temporary permissions for specific operations
Delegated Authorisation
Allowing users to delegate permissions to others:
- Permission Delegation: Users granting permissions to other users
- Service Account Permissions: Applications acting on behalf of users
- Temporary Grants: Time-limited permission delegation
- Auditable Delegation: Comprehensive logging of delegation activities
Multi-Tenant Authorisation
Authorization in multi-tenant environments:
- Tenant Isolation: Ensuring users only access their tenant's data
- Cross-Tenant Access: Controlled access across tenant boundaries
- Tenant-Specific Policies: Customized authorization policies per tenant
- Hierarchical Tenants: Nested tenant authorization structures
Integration with Security Systems
Zero Trust Architecture
Authorization supporting Zero Trust principles:
- Continuous Authorization: Ongoing validation of access permissions
- Principle of Least Privilege: Minimal necessary permissions
- Context-Aware Decisions: Authorization based on full context
- Dynamic Trust Assessment: Real-time trust evaluation
DevSecOps Integration
Authorization in development and operations workflows:
- Policy as Code: Authorization policies managed as code
- Automated Testing: Testing authorization policies in CI/CD pipelines
- Environment Consistency: Consistent authorization across environments
- Audit Integration: Authorization logging for compliance and auditing
Performance Considerations
Caching Strategies
Optimizing authorization performance through caching:
- Decision Caching: Caching authorization decisions for repeated requests
- Policy Caching: Caching compiled policies at enforcement points
- Token Caching: Caching validated tokens to avoid repeated validation
- Context Caching: Caching contextual information for authorization
Distributed Authorization
Scaling authorization across distributed systems:
- Local Decision Points: Authorization decisions at edge locations
- Centralized Policy Management: Central management with distributed enforcement
- Federated Authorization: Authorization across organizational boundaries
- Microservices Authorization: Service-to-service authorization patterns
Monitoring and Auditing
Authorization Logging
Comprehensive logging of authorization activities:
- Access Logs: Detailed logs of all authorization decisions
- Policy Evaluation: Logging of policy evaluation processes
- Denial Logging: Comprehensive logging of access denials
- Performance Metrics: Authorization system performance monitoring
Compliance Support
Supporting regulatory compliance through authorization:
- Audit Trails: Complete audit trails for access control
- Compliance Reporting: Automated compliance validation and reporting
- Data Protection: Authorization supporting data protection regulations
- Segregation of Duties: Ensuring proper separation of responsibilities
Best Practices
Policy Design
Designing effective authorization policies:
- Principle of Least Privilege: Granting minimum necessary permissions
- Clear Policy Language: Understandable and maintainable policies
- Regular Policy Review: Periodic review and update of authorization policies
- Testing and Validation: Comprehensive testing of authorization logic
Security Implementation
Implementing secure authorization systems:
- Fail-Safe Defaults: Denying access by default
- Defense in Depth: Multiple layers of authorization controls
- Regular Updates: Keeping authorization systems updated
- Security Testing: Regular security testing of authorization logic
API Authorisation provides the fine-grained access control necessary for secure API operations. When integrated with robust API authentication and comprehensive API security strategies, effective authorisation ensures that users and applications can only access the resources and perform the operations they are permitted to.
Related Articles
What is Anycast DNS?
An introduction to Anycast DNS
Enterprise Bot Security Assessment | Application Security Platform
Comprehensive bot security assessment for modern applications. Evaluate your protection against sophisticated automated threats including anti-detect browsers, credential stuffing, and API attacks.
What is CORS?
A quick description of CORS (Cross-origin resource sharing)
Current Challenges in Web Traffic Management
An in-depth look at the current challenges in managing web traffic and why traditional approaches often fall short.
What is a Forward Proxy?
A description of what a forward proxy is and its functions.