There are dozens of implementations of authorization mechanisms. When there are complex requirements dictated by business processes, authorization mechanisms may often be implemented incorrectly or, at least, not optimally. The reason for that, in my opinion, is the low attention of both the customer and developers to this aspect in the initial stages of the project and, at the same time, insufficient assessment of the impact of necessary requirements.

What is Authorization?

From the point of view of any information system, authorization is the decision-making process on providing access to resources to the subject based on specific knowledge about it. By this moment, the subject, as a rule, should already be identified (You need to know who he is.) and authenticated (His identity is confirmed.)

Problems

Let’s see what types of authorization requirements exist, why it is extremely important to consider them initially when designing a system, and why it’s important not to postpone it for the future. There are usually two sources of authorization requirements in a corporate information system. These are business requirements and security requirements.

A business owner wants to keep secrets and provide permissions to users in accordance with their function in the business process, and security wants to ensure the least privilege approach for each user and also to audit the access.

Let’s take, for example, a hypothetical contract approval process of a large company. Business owners will probably have the following requirements to the authorization process:

  1. A user who is not related to a specific contract should not see it in the system.
  2. The author of the contract should see the contract at all stages.
  3. A user with a grade of at least 10 has the right to create a contract.
  4. The approving party must see the contract, starting with the receipt (Read more...)