2 mins read

Authorization Policy Enforcement Points

Cloudentity authorization policies can be assigned at different points of enforcement: client application, service (feature), API to granurally control access to resources.

Authorization Policy Enforcement Levels

Organizations may enforce access control at any level needed: organization, service (feature), and resource (API) to prepare the most secure perimeter around their platforms and data.

To make it possible, authorization policies (of different types) can be assigned to predefined policy execution points.

Enforcing Access Control at Organization Level

You can set up access control for your whole organization by applying authorization policies at a workspace level.

Enforcing Access Control at Feature Level

Feature access can be controlled by applying authorization policies at the service level. Such practices can be used, for example, to enforce subscriptions and give access to features only to organizations who have an active subscription.

Enforcing Access at Resource Level

To enforce access control at resource level, authorization policies need to be applied at the API level. This way, you can, for example, decide that only an admin user can see other user’s phone number.

Policy Execution Points

Cloudentity facilitates centralized management of policies, allowing organizations to assign them in a multi-dimensional manner for enhanced security.

Authorization policies can be assigned:

  • To client applications: This allows control over who can access your application, with the enforcement of Multi-Factor Authentication (MFA), permissions, and other security measures.

  • At the authorization server level: This level of assignment helps control which users or machines can obtain security tokens, and can block token issuance for suspicious requests.

  • To scopes: This enables control over who can grant and who can request a given scope of access. MFA can be enforced when granting consent to a particular scope.

  • At the API request level: This helps unify authorization for microservices within a Service Mesh and beyond, allowing the discovery and protection of APIs deployed behind a gateway. This level of policy assignment ensures a uniform authorization strategy across various services and API endpoints, enhancing the security posture.

Updated: Sep 28, 2023