Permissions Management: A Developers' Perspective on Authorization

Controlling access to resources and data is a critical priority for organizations. When developers are tasked with introducing a new application, one of the first considerations is the authorization model. How will we control access to features? Will there be limitations on who can perform actions? For too long, the answer has been to custom develop a homegrown solution for each application.

However, this approach often means that developers are repeatedly developing an authorization solution time and time again. This is a hidden cost of application development, where developer time is spent building an authorization framework rather than features and functionality that help drive business outcomes. Furthermore, homegrown authorization frameworks are often limited in the use cases they can solve.  

Following the pattern of authentication, developers are now turning to IAM platforms to manage authorization controls. For simple needs, authorization may be easily managed with an application permissions model. As more sophisticated use cases and requirements emerge, this simple model is best extended with fine-grained policies to handle user segmentation and dynamic decisioning.

Permissions management refers to the practice of better managing the actions that users can take on resources within an application. This safeguards against unauthorized access and enhances user experiences, ensuring that applications are both secure and personalized. By assigning permissions based on an employee’s role or by segmenting customers based on user type or subscription level, organizations can establish a robust and dynamic security framework that adapts to the evolving demands of their workforce and customers.

Modern web and mobile applications are built on top of APIs, and standard patterns for API application development have emerged. OAuth is used to control access to APIs and industry wide adoption of OAuth has greatly improved security. While OAuth is very explicit about how to manage user authentication and the use of scopes to allow third-party clients to access resources, we also need a way of managing the underlying permissions for each user to the resource server. 

This is an important distinction: OAuth 2.0 scopes are not application permissions. Scopes allow a client application to access a resource on behalf of the user. A client app can have a scope to access an API, but the users of this client app will have different permissions to perform actions on these APIs based on their individual roles and responsibilities. In other words, if a client application has been granted a given scope on a resource, it is still only allowed to access that resource if the human user has the corresponding permission.

Permissions management is a complementary piece of the API Access Management story.  We can use OAuth to handle authentication and allow clients to access resources, and a permissions model to manage which users can access those resources. Once an application has been configured to check a user’s permissions, there is an ongoing need to manage the permissions for a given user.  Each user identity will have some associated permissions and it is natural to manage these permissions alongside identities in the IAM system. 

Managing permissions with PingOne Authorize as a part of PingOne for Customers abstracts individual application permissions management into a single location, giving your administrators a centralized UI for holistically managing user permissions. 

Permissions tend to be declared up front at administration time.  However, many use cases today require additional authorization controls at runtime, for example to assess real-time data that cannot be put inside access tokens.

The shift towards fine-grained authorization is reshaping the landscape.  The PingOne Platform allows permissions to be extended with policy-based controls that use additional context such as risk signals, consents, or transactional data.  This gives a multi-layered approach where access is fundamentally controlled based on statically assigned permissions, with extended policy-based controls to further govern access. Centralizing both static permissions and dynamic policy in a single control plane means that if any issues are detected by an organizational governance controls, there is a quick avenue to remediate and ensure that the principle of least privilege is upheld. 

This is one of the many reasons why Ping Identity is recognized by KuppingerCole as an overall leader in Policy Based Access Management (PBAM):

Externalizing application permissions satisfies access control requirements and enhances your security posture, minimizing the risk of data breaches, unauthorized use, and insider threats in four distinct ways. 

1. Better Management of User Access Control 

Permissions management helps manage user access control by providing a simple, clear administrative view for controlling and regulating access to resources, systems, and data. Crucially, it’s about management, and a centralized place to oversee permissions improves the lives of your IT support.Instead of receiving a constant influx of tickets about individual end users requesting access to a resource if permissions are configured wrong, you can centrally change the set of permissions for a given role. Alternatively, if there is access creep, you can reconfigure permission assignments to ensure that the right people are accessing the right resources. 

2. Data Protection, Regulatory Compliance and Security

In the face of stringent regulations such as GDPR, CCPA, and HIPAA, meticulous management of access rights has become imperative. Organizations are reviewing their access controls to safeguard sensitive information and avoid substantial fines. Effective permissions management is a foundational step towards data protection and regulatory compliance. It provides controls to ensure that only authorized users have access to sensitive data, applications, and systems. By enforcing access controls based on user identities, roles, and privileges, organizations can prevent unauthorized individuals from viewing, modifying, or deleting sensitive information.

3. Personalized User Experience

Managing permissions allows your team to tailor specific experiences based on user preferences, permissions, or other attributes. This means your end users are getting an experience consistent with their expectations and one that is in line with your own business goals.

4. Scalability and Flexibility

The number of applications your business utilizes today is highly likely to grow and keep growing. Better managing permissions, especially for custom applications, means that you don’t have to create unique roles to troubleshoot niche user types or rely on unnecessary one-off roles for specific users.

Permissions management is not just a security measure; it is a strategic enabler for enterprises. It plays a crucial role in user access control, data protection, regulatory compliance, and personalized user experiences. 

By externalizing application permissions and organizing permission sets into roles, enterprises can enhance their security posture and foster business agility. This model allows for the centralized management of user permissions, offering a more streamlined and efficient approach to handling access controls.

The Ping Identity Platform now supports application permissions, available in PingOne Authorize, giving administrators the ability to centrally assign permissions to roles, modify those permissions as needed, and then extend those permissions controls with fine-grained access policies. With permissions management, PingOne Authorize now improves data security in the scalability required to support growing user bases and evolving access requirements for the modern enterprise.  

Curious about trying PingOne for Customers? Begin a trial today here.