Overview
Authorization determines what an authenticated user is allowed to do. It is the process of granting or denying access to resources based on a set of policies, roles, or permissions.
Key Concepts
- Roles: Groups of permissions (e.g.,
admin,editor,viewer). - Permissions: Fine‑grained actions such as
read,write,delete. - Policies: Rules that combine roles and permissions to control access.
- Contextual Checks: Adding conditions like time‑of‑day or IP address.
Policy Example
{
"allow": [
{
"role": "admin",
"actions": ["*"]
},
{
"role": "editor",
"actions": ["read", "write"]
},
{
"role": "viewer",
"actions": ["read"]
}
]
}This JSON policy grants admins all actions, editors read/write, and viewers only read.
API Reference
Typical endpoint for checking permissions:
POST /api/v1/authorize
Content-Type: application/json
{
"userId": "12345",
"resource": "/projects/42",
"action": "delete"
}
Response:
{
"authorized": false,
"reason": "Insufficient permissions"
}