Download your copy of our State of Authorization: Playbook Edition Get it now »

The best and simplest way to explain authorization

CPO Mark Cassetta shows how authorization takes a fine-grained approach to access control where authentication alone cannot.

While authorization is gaining great momentum in the market, sometimes people have a hard time explaining what is authorization in the face of all the other identity and access management (IAM) capabilities that exist. What’s the difference between authorization and conditional access? Dare I say, what’s the difference between authorization and authentication?

What I have found is that the best and simplest way to explain authorization is through the analogy of a house. Whether focused on the customer or the workforce, applications are a lot like houses. Ultimately, what we want to determine is who, what, where, and when people can access this house. While the analogy may seem very simple, it is a quick way to make sure all of your key stakeholders are on the same page as to what the solution is and what it can do.

The authorization house (An analogy)

Let’s pretend you have invited someone, let’s call them Bob, over to your house at 5pm to take a look at a car that you are selling. For Bob to get access to this car there are actually a number of important steps that need to take place:


You hear a knock at your door and the first thing you do is confirm that this is in fact Bob. There are lots of ways to do this, but perhaps it’s as simple as you just checking their identification (you probably aren’t going to ask them for a secret password :)

Identity-based access

Once you have confirmed that this is in fact Bob, the next question is whether Bob is actually allowed inside your house/garage to view the car? You said to come over at 5pm, but it’s actually 2pm in the afternoon. Is Bob still allowed in?

Coarse-grained authorization

Once we have confirmed that Bob is actually allowed inside the house, then we start to get into the “authorization flow” and ask what rooms can Bob go into? In this scenario, we are okay with Bob going into the garage and perhaps the living room where we can discuss the car in more detail. However; outside of that, we don’t want Bob going into any other rooms of the house.

Fine-grained authorization

We now let Bob into the garage to take a look at the car; however, are we going to give him the keys and let him go for a test drive? That’s a decision that’s going to be based on how much we trust Bob at that moment.

authorization and-the house analogy chart

Getting into the house – authentication

Authentication provides the key to the front door. It ensures the one holding the key can enter the house and access everything in it. But if someone loses their key or lends it to a friend, then that person now has access to everything in the house. This begs an additional question – what if you do not want everyone in the house to have access to everything in the house?

What happens after you’re in the house – authorization


Authorization dictates what you can access once you are in the house. Following the example, not everyone in a house has access to everything. The dog may be allowed in the living room, but not on the couch. A toddler can access the kitchen, but access to the oven is forbidden.


When we take this analogy into the business and IAM world, we can say that access to a certain application is allowed, but there is no blanket (or standing) access to every file, or access is only granted under certain conditions of time, location, risk score, etc.

Authorization is more important now than ever

The idea of authorization isn’t new; it’s been around since the dawn of application development and your teams built applications for decades depending on how long your enterprise has been around.

As the process by which we develop applications continues to evolve, our ‘house’ starts to look more like an apartment building. This is because enterprises are shifting to a microservices approach as they are replicating these houses quickly across different environments and landscapes.


While constructing these applications, development teams have hard-coded separate and sometimes unique authorization policies within each application, which creates a challenge. This method is not only unable to scale, but creates a lack of a unified, consistent approach to authorization, which can lead to non-compliance as well as a barrier to successfully implementing Zero Trust. Moreover, it is also costly to maintain and manage, often causing performance issues and requiring valuable developer hours to identify and remedy any issues.


The question of how to successfully implement authorization is different than when the application was first built. This constant evolution requires teams to rethink their whole authorization strategy. As a result, we see organizations move away from the inflexible isolated authorization approach to one that is orchestrated or policy-driven.

Policy-driven authorization centralizes accountability while decentralizing policy authoring and governance. This means that it breaks down the silos so your teams are no longer building custom policies for each application. What is happening is the IAM teams are starting to set guardrails for policies that assemble attributes and signals that the enterprise has been investing in.

Using a policy-driven authorization solution and approach, there are global policies that applications take on in addition to individual local policies that support the guardrails or investments that are already in place. From there, the team can connect all of those policies to a policy decision point (PDP), which enables organizations to orchestrate all of these policies across applications so you can quickly scale to hundreds or thousands of applications. In the end, this creates trust, enforces compliance, connects Zero Trust signals, and increases application development velocity within an organization.


Take the next step

Watch the full recording of the LinkedIn Live event where I walk through the details of where policy-driven authorization sits within the IAM ecosystem and how it can complement or enhance existing investments.

Ready to gain more knowledge on policy-driven authorization? Here are some additional resources that look at this topic:

Make sure to join us on LinkedIn Live for future events as David Brossard and I tackle common questions that we see from customers, prospects and partners worldwide.

Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo

  Join us on LinkedIn for more insights
Archived under:
About the author

As the chief product officer for Axiomatics, Mark is responsible for shaping the company’s innovation and product strategies. Mark has more than ten years of experience across product management, product marketing and business development, with companies including e-Share, Titus and Accenture.