Authorization.

Authorization (AuthZ) follows authentication: once a user, service or device has proved who it is, the system must decide whether that identity can perform a requested action on a specific resource. Decisions can be based on roles (RBAC), attributes and policies (ABAC), classifications (MAC) or owner discretion (DAC), and are typically enforced by a policy decision point that evaluates subject, resource, action and environment, with a policy enforcement point gating the request. Modern stacks externalize policy with standards like OAuth 2.0 scopes (RFC 6749), OpenID Connect claims, XACML, or Rego/Open Policy Agent, keeping rules out of application code.

Authorization is the single most failure-prone control on the web. OWASP ranked Broken Access Control as A01 — the #1 risk — in its 2021 Top 10, found in 94% of tested applications, a position it retains in the 2025 release. The classic flaw is IDOR (Insecure Direct Object Reference): changing a numeric id in a URL or API call to read another tenant's data. In 2022 the Optus breach in Australia exposed records of roughly 10 million customers through an unauthenticated, enumerable API endpoint, and Instagram's 2019 IDOR exposed private posts and stories.

A subtler class is the confused deputy, where a more-privileged component is tricked into misusing its authority on an attacker's behalf — the conceptual root of CSRF and SSRF. Defences: deny by default, enforce authorization server-side on every request (never trust the client), check object ownership not just authentication, prefer unguessable identifiers, log access decisions, and continuously test for horizontal and vertical privilege escalation.

flowchart LR
  U[Authenticated request] --> PEP[Policy Enforcement Point]
  PEP --> PDP[Policy Decision Point]
  CTX[Subject / resource / action / environment] --> PDP
  POL[(Policy: RBAC / ABAC / Rego)] --> PDP
  PDP -->|Permit| R[Access resource]
  PDP -->|Deny| X[403 Forbidden + audit log]