How SaaS Companies are Changing Their Approach to Authorization

Authorization is a critical but invisible part of most applications. The authorization defines who has access to data. Using a physical safety analogy, if authentication is by the way which can enter the front door, Authorization is on which has keys to which rooms.

Historically, development teams have built the authorization logic in their application code. But the construction and maintenance of the logic of authorization have become a work in mind in mind, and over time, no one wants to touch the code in the fear of giving the bad person access to sensitive information. This problem is amplified by the explosion of LLM chatbots, which must train using many data, which should not be exposed to the end user.

Recently, a new harvest of developer tools appeared to approach this critical component of software development. As Twilio has done for sms or stripe for payments, sellers like OSO aim to solve authorisation So that developers can focus on their main application.

Types of authorization

There are several common authorization models. As a rule, organizations begin with Roles -based authorization (or RBAC), where users have defined roles that determine the data to which they can access. Using Google Docs as an example, a given document may have a editor,, commentatorOr viewer.

It sounds simple, right? Let's extend the Google Docs example. Let's say that a user creates a whole file of documents. If you have viewer access to the file, you should have viewer Access to all underlying documents. Now we must implement access control based on relationships (or rebac), which means that not only do you need roles, but you must also organize authorizations according to the relationship between resources.

You may then want to introduce other requirements, such as the definition of public private documents, access to time (this person can have an editor access to the document until the companies closed) or conditional access (sensitive HR documents cannot be accessible, even if your role allowed him otherwise). This type of authorization is called authorization based on attributes.

Secure LLM chatbots

In addition to these traditional authorization models, the explosion of LLM chatbots introduces new ways to interact with data, as well as new challenges. The flexibility and the LLM scale are more difficult to make sure you do not flee sensitive data. To be precise, these models must train on a large corpus of data. However, when the answers are returned, it is imperative that only users finish see only the data they are supposed to see. For example, imagine an employee asking for an internal chatbot: “Please summarize the results of the executive staff meeting in the past 6 months.”

You will find below an example of the data flow for an authorized cloth chatbot, which incorporates authorization checks before returning a response to the end user:

Who uses authorization as a service?

The new suppliers offer Authorization as a service Allowing companies to provide fine grain access controls, such as roles -based access control (RBAC), relationship -based access control (rebac) and attribute -based access control (ABAC), as well as emerging use cases to secure LLM chatbots. An increasing number of organizations now use authorization as a service to secure their applications. Will your organization be next?