Authorization

TL;DR

Enforcing client access permissions across system boundaries (OAuth2, scopes, claims).

Visual System Topology

Authorization Network Handshake Flow

Client Node Initiates Request

Multiplexed

Authorization Gateway Routes Traffic

Fast Payload

Backend Server Executes Logic

Concept Overview

Authorization determines what an authenticated user is allowed to do — answering "what can you access?" after identity has been established. It enforces access control policies across resources, APIs, and data.

Modern authorization has evolved from simple role checks ("is the user an admin?") to fine-grained attribute-based policies ("can this user in this department access this document in this classification at this time of day?"). The three dominant models are RBAC (Role-Based Access Control), ABAC (Attribute-Based Access Control), and ReBAC (Relationship-Based Access Control — used by Google Zanzibar/Google Drive).

Authorization decisions must be fast (< 5ms), consistently enforced at every API boundary, and auditable (every decision must be logged). The most dangerous authorization flaw is the "confused deputy" problem: a privileged service is tricked into performing actions on behalf of a less-privileged user.

Key Architectural Pillars

Role-Based Access Control (RBAC)

Permissions are assigned to roles; users are assigned to roles. Simpler to manage than per-user permissions. Standard roles: admin, editor, viewer. Works well for small user populations with clear role boundaries.

Example: GitHub: Organization Owner, Member, Billing Manager. Repository: Admin, Write, Read. Access decisions: "does this user have Write role on this repo?"

Attribute-Based Access Control (ABAC)

Access decisions based on attributes of the user, resource, action, and environment. More expressive than RBAC but more complex. AWS IAM policies are ABAC: "allow users with tag Department=Engineering to write to S3 buckets with tag Environment=Dev."

Example: AWS IAM: {"Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::dev-*", "Condition": {"StringEquals": {"aws:PrincipalTag/Department": "Engineering"}}}

Relationship-Based Access Control (ReBAC)

Access is determined by the relationship graph between users and resources. Used by Google Zanzibar (powers Google Drive, Docs, Calendar). Can express: "user A has access to document D if A is a member of a group that has viewer permission on D."

Example: Google Docs: user can view Document X if they are listed as a viewer, OR are a member of a group listed as a viewer, OR Document X is in a folder they have access to.

JWT Claims-Based Authorization

Embed authorization metadata directly in the JWT payload: user roles, feature flags, tenant ID, subscription tier. Services validate the JWT and read claims without calling an external authorization service. Fast but stale (claims only update on token refresh).

Example: JWT payload: {"user_id": 123, "roles": ["editor", "billing_admin"], "tenant": "acme-corp", "subscription": "enterprise"}

Policy Enforcement Point (PEP) vs Decision Point (PDP)

PEP: where authorization is enforced (API Gateway, middleware, service). PDP: where authorization decisions are made (OPA, Casbin, AWS IAM). Separating PEP from PDP centralizes policy management and enables policy-as-code.

Example: An API Gateway (PEP) intercepts every request and calls OPA (PDP) to evaluate the policy. OPA returns allow/deny. The gateway enforces the decision.

Principle of Least Privilege

Every user, service, and process should have only the minimum permissions necessary to perform its function. Limits blast radius of compromised accounts or buggy code.

Example: An order-reading service has only SELECT permission on the orders table. It cannot INSERT, UPDATE, or DELETE — even if the code has a bug that tries to.

Foundations of Distributed Systems

Networking & Communication

Data Storage & Databases

Performance & Scaling

System Architecture

Data Processing Systems

Reliability & Operations

Security

Trade-offs & Interview Thinking

Real-world Case Studies