Notifications
Clear all
Topic starter
09/06/2026 11:26 pm
TL;DR: Customer implementations of fine-grained authorization improved self-service customization, onboarding, and product packaging across applications like restaurant management, finance, and data intelligence, showing that access control can affect adoption as much as security, according to Cerbos. The underlying shift is that authorization now shapes user experience and monetisation, so IAM teams need to treat it as a business control, not just a backend gate.
NHIMG editorial — based on content published by Cerbos: a success story on authorization, user adoption, and product packaging
By the numbers:
- 30% of their customers were asking for custom roles and permissions.
Questions worth separating out
Q: How should teams design authorization for products with different customer workflows?
A: Use policy-based authorization that evaluates context, not just static roles.
Q: Why does fine-grained authorization affect customer adoption?
A: Customers adopt software faster when the product fits their workflow instead of forcing workarounds.
Q: What do security teams get wrong about role-based access control in SaaS products?
A: They often assume roles alone can express real-world business variation.
Practitioner guidance
- Map your product workflows to policy decisions Identify where access is currently enforced in application code, custom logic, or manual exceptions, then move those decisions into a central policy layer that can distinguish user type, tenant, resource, and action.
- Replace one-size-fits-all roles with contextual permissions Use attributes such as department, customer, device, and time to limit access to the exact records and actions each actor needs, especially where customers demand different workflows.
- Design external access as a constrained workflow Give contractors, partners, and customers access to specific documents or steps only, instead of broad account-level access that forces teams to share files outside the system.
What's in the full article
Cerbos' full success story covers the operational detail this post intentionally leaves for the source:
- Customer implementation specifics showing how Supy let users build their own RBAC rules
- Product packaging examples from Nook, Human Managed, and 9fin that explain the business impact of authorization design
- The exact ABAC conditions used by Human Managed to tailor access by customer, department, device, and time
- The vendor's own commentary on how Cerbos Hub fits into these product and workflow patterns
👉 Read Cerbos' success story on authorization, adoption, and product packaging →
Authorization and product adoption: what IAM teams are missing?
Explore further
10/06/2026 1:45 am
Authorization is no longer just a security boundary, it is a product design control. When entitlements shape which features users can see and which workflows they can complete, access policy becomes part of the customer experience. That changes the IAM conversation from enforcement to enablement, because product teams now rely on authorization to support segmentation, packaging, and self-service. Practitioners should treat policy design as part of product architecture, not only compliance.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How can organizations keep external actors inside the application boundary?
A: Constrain contractors, partners, and customers to the exact document, workflow step, or dataset they need, rather than broad account-level rights. When access is too coarse, people move files into email or chat to get work done, which creates governance gaps and makes auditability worse.
👉 Read our full editorial: Authorization is becoming a product and growth control
