Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-object-level-authorization-check.md

77 lines
2.4 KiB
Markdown

# Pattern: Object-Level Authorization Check
Status: draft
Readiness target: RL3 production
Primary owners: flex-auth, product repos, NetKingdom
## Problem
APIs often authenticate callers correctly while still allowing access to
objects, records, files, or tenant resources outside the caller's scope.
## Context
Use this pattern for product APIs, admin APIs, object storage brokers,
artifact-store, tenant data, background jobs, and any endpoint that
accepts resource identifiers.
## Forces
- Object ownership and scope are application-specific.
- Authorization must happen before data is returned or mutated.
- Tenant context must be trusted, not copied from user input.
- Bulk, search, and background operations need the same checks.
## Solution
Require every object access path to ask an authorization boundary with
trusted actor, tenant, resource, action, and context before reading,
writing, deleting, exporting, or sharing an object.
## Implementation Sketch
1. Define resource types and action vocabulary.
2. Derive actor and tenant from trusted identity/session evidence.
3. Resolve object ownership or scope before access.
4. Ask flex-auth or local policy adapter for a decision.
5. Enforce allow/deny before data access.
6. Log object-level decisions with correlation ids.
## Failure Modes
| Failure | Mitigation |
| --- | --- |
| Endpoint checks role but not object ownership | add object-level conformance tests |
| Search/list endpoints bypass item checks | enforce tenant/resource filters in query layer |
| Background jobs run with global authority | carry tenant and actor context in job envelopes |
| Deny reason leaks object existence | use stable, non-revealing deny responses |
## Related Capabilities
- Application and API security.
- Authorization and access control.
- Tenant isolation.
- Data protection and privacy.
## Maturity
Draft. The pattern maps directly to flex-auth but requires product-level
adoption and tests.
## Verification
- Cross-tenant object access tests fail.
- List/search endpoints cannot reveal out-of-scope objects.
- Background jobs preserve authorization context.
- Deny paths are audited and do not leak sensitive existence details.
## Research Basis
Seeded by API authorization, object-level authorization, OWASP API
security framing, and tenant-scoped authorization.
## References
- Initial exploration: Application and API security.
- Initial exploration: Application/API patterns.