██FR█████ █INTELL███████████

Authorization 101: What I Learned from Oso’s “What is Authorization?” Guide


This content originally appeared on DEV Community and was authored by Meghan Gill

I recently had the opportunity to review and make some updates to the foundational chapter of Authorization Academy, Oso’s series of technical guides, entitled What is Authorization? Here’s a brief overview of the key takeaways from this guide.

1. Authorization: Who can do what to what?

At its core, authorization defines permissions—determining what actions a user or agent may perform on particular resources in your application.

2. Authentication vs. Authorization

These are often bundled under “auth,” but they serve distinct roles:

  • Authentication confirms identity. Using a physical world analogy, authentication is like getting into the front door of a house.
  • Authorization decides what you can do once you have been authenticated. Continuing on the analogy above, it determines which rooms in the house you can access once you’re in the front door.

3. Multiple Enforcement Layers

Authorization checks can occur at various points:

  • Initial connection or request middleware
  • Web server or router level
  • Business logic layer within the application
  • Database or data-access layer itself

The Authorization Academy chapter details each of these approaches.

3. How to think about the authorization model

In exploring the different enforcement layers, we use the following framework:

  • ActorWho is making the request
  • ActionsWhat are they trying to do
  • Resources – What are they doing it to

Later chapters explore common access patterns such as role based access control (RBAC) and relationship based access control (ReBAC).

4. Authorization’s Three Pillars

A robust permissions system separates:

  • Data: the resource being accessed
  • Logic: the rules defining permissions
  • Enforcement: where decisions are applied

Permissions decisions can be implemented in-app, via centralized services, or using a hybrid architecture.

5. Architecture

Authorization tends to be invisible to end-users but is foundational for secure applications. Recognizing common authorization patterns—such as centralizing enforcement or maintaining policy separation—makes the logic easier to manage and reason about.

I’m looking forward to working on updating the next chapter, and plan to summarize it here!


This content originally appeared on DEV Community and was authored by Meghan Gill