Authorization

An access control mechanism that determines what a user can do after passing authentication. Answers the question "What is allowed?" — what resources and operations are available to a specific user.

After successful authentication, the server knows who the user is. Authorization determines what they are allowed to do: view, modify, delete, or create data. Authorization decisions are made based on roles, rights, or access policies.

Main Authorization Models

1. Role-Based Access Control (RBAC)

• Each user is assigned a role (admin, editor, user).

• Each role has a set of permissions.

• Verification is performed on the principle:

  "If the role contains the required right — access is granted."

• A simple and common model.

2. Attribute-Based Access Control (ABAC)

• The decision depends on attributes: user, resource, context (time, IP, device).
• A more flexible model, suitable for complex business logic.

3. Policy-Based Access Control (PBAC)

• Uses declarative policies (for example, in JSON format).

• The server checks rules like:

  "user.role === 'manager' && resource.ownerId === user.id".

• Popular in systems with microservice architecture.

Web-level Authorization

• On the client — hiding or blocking UI elements without sufficient rights.
• On the server — strict verification before performing any protected action.
• Verification is usually performed via middleware or a guard that analyzes:
  • JWT / Access Token (role, scope, permissions).
  • Session state.
  • Request parameters and resource.

Connection with Authentication

• Authentication: confirms user identity.

• Authorization: determines their access level.

  Both stages are performed sequentially — you cannot authorize an unauthenticated user.

Security and Best Practices

• Store access rights on the server, not on the client.
• Verify permissions on every request to a protected API.
• Use short access tokens and limited scopes.
• When roles change — invalidate tokens of the user.