Pushing Left, Like a Boss — Part 5.11 — Authorization (AuthZ)
Authorization (also known as ‘AuthZ’) is verifying that the user who is trying to perform an action within your application is allowed (is authorized/has permissions) to use that functionality. For instance, is the user an admin user? If so, allow them to view the admin page. If not, block access.
There are several different models used within our industry for authorization, with RBAC (Role Based Access Control) being the most popular. RBAC means assigning people different roles in your system(s), just like people play different roles within your organization, and give them access based on the role they are assigned.
For instance, meet Angela, a hypothetical software developer who is new to my project team (pictured below).
As a software developer Angela is going to need access to all sorts of things; source control, perhaps permission to publish to the CD/CI pipeline, and various file systems.
Now look at the second image to see our project team: Sarah, Angela and Jennifer. A project manager, software developer, and a database administrator (DBA). They all play different roles within the project and our organization, so they need different sets of permissions and access. Angela the software developer should not need Database Owner (DBO) permissions, but the DBA definitely will. The project manager is unlikely to need access to the web server.
This is where Role-Based Access Control (RBAC) is extremely helpful, the system administrator can easily assign the proper roles to each of our project members, to ensure they are only authorized access to the things they need to get their jobs done (least privilege).
When writing code for authorization within applications, use the features in your framework, and re-verify access for every feature and/or page of your application. Test your implementation thoroughly, with each role, for best results.
This is something that is often gotten wrong by software developers, which can cause huge issues, so please take care to do thorough testing.
For a deeper dive into this topic, check out the OWASP Cheat Sheet on Authorization Testing Automation, by Dominique Righetto.
Up next in the ‘Pushing Left, Like a Boss’ series: Authentication (AuthN), Identity and Access Control.