loading...
Microsoft Azure

Pushing Left, Like a Boss — Part 5.11 — Authorization (AuthZ)

shehackspurple profile image Tanya Janca ・2 min read

**Previously published on my Medium blog, SheHacksPurple.

Authorization (also known as ‘AuthZ’) is verifying that the user who is trying to perform an action within your application is allowed (is authorized/has permissions) to use that functionality. For instance, is the user an admin user? If so, allow them to view the admin page. If not, block access.

There are several different models used within our industry for authorization, with RBAC (Role based access control) being the most popular. RBAC means assigning people different roles in your system(s), just like people play different roles within your organization, and give them access based on the role they are assigned.

For instance, meet Emily, a hypothetical software developer who is new to my project team (pictured below).

#WOCinTechChat: Emily the Software Developer

#WOCinTechChat: Emily the Software Developer

As a software developer she is going to need access to all sorts of things; source control, perhaps permission to publish to the CD/CI pipeline, and various file systems.

Now look at the second image to see our project team: Sarah, Emily and Jennifer. A project manager, software developer, and a database administrator (DBA). They all play different roles within the project and our organization, so they need different sets of permissions and access. Emily the software developer should not need Database Owner (DBO) permissions, but the DBA definitely will. The project manager is unlikely to need access to the web server.

This is where Role-Based Access control is extremely helpful, the system administrator can easily assign the proper roles to each of our project members, to ensure they are only authorized access to the things they need to get their jobs done (least privilege).

Project manager, software developer, and DBA, Photo Credit: #WOCinTechChat

Project manager, software developer, and DBA, Photo Credit: #WOCinTechChat

When writing code for authorization within applications, use the features in your framework, and re-verify access for every feature and/or page of your application. Test your implementation thoroughly, with each role, for best results.

This is something that is often gotten wrong by software developers, which can cause huge issues, so please take care to do thorough testing.
For a deeper dive into this topic, check out the OWASP Cheat Sheet on Authorization Testing Automation, by Dominique Righetto.

Up next in the ‘Pushing Left, Like a Boss’ series: Authentication (AuthN), Identity and Access Control.

Discussion

pic
Editor guide
Collapse
mikesamuel profile image
Mike Samuel

There are several different models used within our industry for authorization

In case you've not seen it, From ABAC to ZBAC by Karp et al. is quite accessible and contrasts quite a few.

A variety of access control models have been developed over the years, each designed to address different aspects of the problem. This report will examine the strengths and weaknesses of the various approaches as applied in a cross domain services and as implemented in common SOA frameworks.