Authorization

Descope lets you configure authorization in your application, with support for the following methods:

Choosing the Right Access Control Model

Deciding whether to implement RBAC, ReBAC, or ABAC depends on the specific needs of your application. Below are some considerations to help you decide which model fits best.

When to Choose RBAC

Simplicity and Scalability: If your application requires a straightforward permission model with clearly defined roles that can scale with your organization, RBAC is ideal.
Ease of Management: RBAC's role-centric approach makes it easier to manage permissions as you can assign and change roles without modifying individual permissions.

When to Choose ReBAC

Complex Relationships: When your application's access control needs to reflect complex relationships between users and resources, ReBAC offers the flexibility you require.
Dynamic Permissions: If permissions need to change frequently based on context or user relationships, ReBAC can dynamically adjust access rights accordingly.
Fine-grained Access Control: For applications that need to control access at a more granular level than roles, ReBAC provides the ability to define precise access control policies.

When to Choose ABAC

Contextual Access Control: ABAC is ideal when you need to incorporate a wide range of attributes, such as user characteristics, resource types, and environmental context (e.g., time of access), to make authorization decisions.
Flexibility and Granularity: ABAC allows for highly granular and flexible access control policies by considering multiple attributes in combination, making it suitable for complex scenarios where access rules need to be finely tuned.
Policy-Driven Management: If your application requires the ability to define detailed access control policies that go beyond roles or relationships, ABAC enables you to set rules based on any combination of user, resource, and environmental attributes.

Authorization Types in Descope

These are some details of all of the authorization types that are supported in Descope.

Role-Based Access Control is a common authorization model. In RBAC, you create roles that encapsulate a certain set of permissions. These roles represent the different levels of access within your application. Once roles are defined, you can assign them to users. This model simplifies permission management by allowing you to control access based on roles rather than individual permissions.

RBAC with Permissions Checks

Rather than assigning multiple roles to a user, you can assign permissions directly. This method involves defining permissions such as "documents:read" or "documents:write". When a user attempts to perform an action, the system checks their assigned permissions to determine if the action is authorized.

Relationship-Based Access Control

Relationship-Based Access Control introduces a dynamic approach to authorization. Unlike RBAC, which is role-centric, ReBAC is relationship-centric. It allows you to define permissions based on the relationship between the user and specific resources or other users within the system. This model is particularly useful when you need to grant access to resources based on more complex conditions than roles allow.

Attribute-Based Access Control

Attribute-Based Access Control allows for a more nuanced approach to authorization by evaluating multiple attributes of the user, resource, and environment. ABAC policies can include conditions like "only allow access if the user is in the same department as the resource owner" or "grant access if the user's clearance level meets or exceeds the resource's classification level."

ABAC with Policy Evaluation

ABAC systems evaluate access requests against defined policies that include various attributes. For example, a policy might state, "Allow access to sensitive data if the user is in the 'Manager' role and the request is made during business hours." This flexibility makes ABAC suitable for environments where access decisions need to consider multiple, often dynamic, factors.

Was this helpful?

On this page