CONCEPT Cited by 1 source
Externalised authorization¶
Definition¶
Authorization is externalised when the decision logic (who can do what under which conditions) lives outside application code — in a policy store, a policy engine, a service mesh authz filter, or an ingress-layer policy bundle — and is evaluated by a runtime that the application code does not host or ship.
Contrast class: embedded authorization (if user.role ==
"admin" { allow(); } sprinkled through application code).
Why the distinction¶
- Change velocity. Authorization rules change on a different cadence than application code (new roles, new compliance requirements, new tenants). Embedding couples the two.
- Auditability. A single place for all policy is trivially
auditable; scattered
ifs are not. - Reasoning. Centralised policies in a constrained language
can be analysed (redundancy, reachability, equivalence);
ifs scattered across services cannot. - Ownership separation. Infosec can own policy authorship independently of app teams owning feature code — see concepts/platform-team-vs-application-team-split.
Common shapes¶
- Policy engine behind an authz filter: ingress / mesh proxy calls into OPA / Cedar / custom engine on each request. See patterns/embedded-opa-in-proxy and patterns/ingress-layer-authorization-offload.
- Admission-time policy check (non-request-path): validation
webhooks / admission controllers gate provisioning rather than
requests. See
patterns/policy-gate-on-provisioning(OPA Gatekeeper deployment shape). - Permissions DSL: dedicated rule language stored as data, evaluated at request time by an in-process or sidecar engine. See concepts/permissions-dsl.
Seen in¶
- sources/2024-12-05-zalando-open-policy-agent-in-skipper-ingress — Zalando externalises authorization to the ingress layer: applications register a bundle name; the Skipper filter chain evaluates Rego against each incoming request. Application code stays authorization-free. "This integration not only allows externalising authorization policies but also aligns with our goals of solving security concerns on the infrastructure with efficiency and developer experience in mind."
Related¶
- concepts/authorization-as-a-service — the platform-level packaging of externalised authz
- concepts/policy-as-data — the storage shape
- concepts/permissions-dsl — the language shape
- concepts/platform-team-vs-application-team-split — ownership axis
- systems/open-policy-agent — canonical externalised-authz engine
- patterns/ingress-layer-authorization-offload
- patterns/embedded-opa-in-proxy