Authorization
Authorization is the decision layer: once something is authenticated, what is it allowed to do? This category covers authorization models (RBAC/ABAC/ReBAC), relationship-based access control (Zanzibar), policy-as-code, decision/enforcement architecture (PDP/PEP), performance, auditing, and how these ideas apply to APIs and AI agents.
Authorization
Authorization is the decision layer: once something is authenticated, what is it allowed to do? This category covers authorization models (RBAC/ABAC/ReBAC), relationship-based access control (Zanzibar), policy-as-code, decision/enforcement architecture (PDP/PEP), performance, auditing, and how these ideas apply to APIs and AI agents.
Fine-Grained Authorization (Zanzibar Pattern): Relationship-Based Access Control
When RBAC breaks down, use relationships. Learn the Zanzibar model, tuples, checks, and scaling patterns.
Policy as Code for IAM: OPA/Rego vs Cedar vs Homegrown
Compare policy-as-code approaches and the operational realities of central policy decision points.
Authorization Architecture: PDP/PEP, Sidecars, and Centralized Policy
Where to put policy decisions and enforcement (gateway, service middleware, sidecars), and how to avoid policy drift.
Modeling Permissions & Entitlements
How to design resources, actions, scopes, roles, and relationships so authorization stays maintainable as systems grow.
Multi-Tenant SaaS Authorization
Tenant isolation, org/workspace models, invites, and safe defaults for B2B SaaS authorization.
Authorization for APIs: Scopes, Claims, and “Who Can Call What”
Turn identity into API decisions: token design, scopes vs roles, audience, and avoiding confused-deputy problems.
Delegation, Impersonation, and “Acting As”
How to implement safe delegation and support impersonation without creating a permanent backdoor.
Decision Logging, Audit Trails, and Explainability
What to log, how to correlate decisions to requests, and how to make authorization explainable to humans and auditors.
Performance: Caching, Consistency, and Revocation
Design authorization to be fast and correct: caches, TTLs, invalidation, and dealing with eventual consistency.
Data-Layer Authorization: Row-Level Security and Query Constraints
How to enforce authorization closer to the database/query layer (RLS, predicates) without losing observability.
AI Agent Tool Authorization
How to authorize AI agents and tools: least privilege, approvals, tool-scoped tokens, and blast-radius control.