Why you need to think about both your security and users when implementing authorization

Having worked at an enterprise company the size of Microsoft, and a myriad of B2B SaaS startups, one of the key components I found myself designing and implementing every time was a customizable and performant authorization system. Whilst the authentication layer and your IdP are the primary places you begin tackling application permissions, it can very quickly evolve into a more fundamental concern across the application in the form of fine-grained permissions - beyond what an IdP can manage.

Authorization is essential not just for the obvious task of protecting sensitive data, but also for tailoring permissions to suit both your internal team and the broader user base. Given the complexities of global markets and regulatory rules like GDPR and CCPA, a flexible authorization framework serves both as a defense mechanism and a strategic tool. It shapes the user experience while making sure your app is compliant.

How can you balance security and user experience in an authorization system?

A real-world example of when having fine-grained authorization became critical, is whilst working on a B2B SaaS product. Initially, we had just a few roles that allowed customers to set up their users as admins, managers, or viewers - with varying levels of permissions. Business was going well and we were lucky to have won two enterprise customers - one big box retailer in the US and a global airline in the Middle East. Onboarding these users became a challenge as there was no way we could shoehorn 1000+ users into those 3 roles in a way that would keep the security teams of the customers happy.

Each department and region of the world needed its own set of permissions - effectively echo-ing how the business was set up. Having a flexible authorization system that allows for bespoke configuration per customer, whilst still being centrally managed, monitored, and administered becomes one of our competitive advantages - and lets us balance the permissions requirements of the customer with our application security model.

Setting up a centralized authorization service is a good exercise in compartmentalization and sane microservices architecture design, it also has the added advantage of being a central place to capture what is happening inside your application. A well-implemented authorization system provides comprehensive audit logs for breach analysis and preventive measures as every permission check is captured - regardless of where in the stack it is being made from.

Many businesses, especially those early in their maturity curve, may not have a full understanding of their current or future authorization requirements. They might initially opt for simple rule sets, only to find these inadequate as their user base grows and diversifies. Hence, it’s crucial to have a forward-thinking approach, anticipating future needs based on the company's trajectory and potential regulatory requirements.

The role of trust in customer experience

Sometimes, it’s not a trade-off between security and the user journey. In my experience, security measures impact customer trust, which translates to business success. Although security might not be the top feature customers seek when evaluating services or applications, demonstrating that your solution can handle complex requirements, especially in user permissions, is crucial for winning deals and ensuring success. Strong security measures, including robust authorization systems and single sign-on capabilities, are vital. The ability to enforce data locality rules based on user or business location is also important, often being a critical part of an RFP checklist.

The security tech stack

Building a tech stack requires understanding the roles of authentication, authorization, and identity providers. Using proven solutions like Okta, Microsoft Entra ID, or AWS Cognito for authentication is advisable. These tools efficiently handle a critical component of authorization. Role management and the persistence of directory-type information, such as ownership and role assignments, are another vital component of the security stack, managed by solutions like Azure AD, Cognito Groups or traditional tools like Active Directory and LDAP servers.

Once identity and authentication are established, focus on authorization. Select an authorization solution that leverages the context provided by the authentication and identity layers for informed decisions. Effective stacks typically consist of an authentication provider, a directory system, a separate authorization component, and then an observability solution that can ingest the audit logs.

Architecting these as distinct components in your tech stack offers greater flexibility, scalability, and the ability to evolve over time. This modular approach also benefits the user experience, allowing more effective permission management by users.

The case for KPIs

In my roles as a tech lead, KPIs and key metrics have always played a part in measuring the impact of authorization systems on user experience and security. The typical MTTD, MTTI, and MTTR metrics are useful for any application, but when it comes down to authorization considerations, here are a few specific ones to consider:

• Audit log accessibility and clarity - Checks how easily audit logs can be accessed and understood, which is essential for effective authorization systems.
• Support ticket volume related to permissions - Tracks support tickets for access control issues, indicating user experience with the system.
• Self-service accessibility - Measures the ability of users to manage their permissions independently, aiming to enhance experience and reduce support load.

These provide a holistic view of an authorization system's balance between security and user experience, giving you actionable feedback to fine-tune the model and tweak that tech stack.

Offering personalized authorization without sacrificing security

Personalization in authorization should not compromise security. When users request custom permissions or roles, it's essential to ensure these align with fundamental security principles. A hybrid approach often works best, where ground truth rules are always in place, and a limited level of customization is allowed within a strict framework.

Using static authorization logic with dynamic user attributes and roles ensures consistent, testable policies. For example, roles with specific attributes can grant additional system features. This model balances personalization with control, maintaining the fundamental authorization logic unchanged while offering users a tailored experience.

Authorization is constantly changing - I’ve seen a shift towards front-end integration to boost efficiency and user experience. This involves embedding policy decision points in the client-side, while maintaining server-side checks for solid security. This approach not only improves scalability but also enhances the overall user experience, marking a shift towards a more distributed authorization method. Yet, the core objectives of authorization remain constant: aligning with your business goals. Embedding policy decision points on the client side, complemented by server-side checks, not only improves scalability but also enhances the overall user experience.

Crafting a robust authorization system that respects both the user journey and the demands of cybersecurity shouldn’t be an afterthought when architecting a system - but a core component alongside the likes of the chosen authentication system. As outlined above, a finely-tuned authorization framework can be a strategic asset, enhancing user trust, and allowing you to win and retain enterprise customers, all whilst maintaining compliance with ever-evolving global data security laws.

Conclusion

The key takeaway? Authorization systems must evolve to accommodate the dynamic needs of businesses and their users. Integrating self-service management, adopting a modular tech stack, and adhering to a hybrid approach for personalized permissions are important steps. Employ KPIs to offer a quantitative lens to balance and refine these systems.

Remember that your authorization system is a cornerstone of your business strategy. It's not about choosing between security and user experience; it's about aligning them. So, think strategically, embrace flexibility, and always anticipate future needs. This balance will safeguard your enterprise, and enhance the journey for every user who interacts with your product.