Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Distributed authorization: when should teams centralize access decisions?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Authorization in distributed systems breaks the monolith assumption that one service can safely answer access questions with local data, according to Authzed. The practical takeaway is that fine-grained access control needs a coherent decision point, because duplicated logic, JWT scope bloat, and service coupling all grow faster than service boundaries.

NHIMG editorial — based on content published by Authzed: authorization approaches for distributed systems

Questions worth separating out

Q: How should security teams handle authorization across multiple services?

A: Security teams should centralize fine-grained authorization when access decisions depend on relationships that span service boundaries.

Q: Why do JWT scopes become a problem in distributed systems?

A: JWT scopes work well for coarse roles, but they become unwieldy when a user needs access to many individual resources.

Q: What breaks when each service implements its own authorization logic?

A: Each service can end up answering the same permission question differently because it only sees part of the relationship graph.

Practitioner guidance

  • Centralize fine-grained access decisions Route cross-service permission checks to one authorization layer so services ask a simple yes or no question instead of rebuilding policy logic locally.
  • Limit JWT scopes to coarse-grained access Use token claims for broad roles or workspace-level access, not for large lists of per-resource entitlements.
  • Separate policy evaluation from business services Keep domain services focused on application behavior and let a dedicated authorization service own relationship resolution and permission logic.

What's in the full article

Authzed's full article covers the operational detail this post intentionally leaves for the source:

  • A deeper comparison of service-local authorization versus centralized authorization for distributed systems.
  • Schema examples showing how relationship-based access rules are expressed and maintained.
  • Tradeoffs involved in feeding relationship data into a central authorization service.
  • A practical look at how authorization design changes when GraphQL or similar gateways sit in front of services.

👉 Read Authzed's analysis of distributed authorization approaches →

Distributed authorization: when should teams centralize access decisions?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Distributed authorization is a governance problem before it is an implementation problem. Once access decisions cross service boundaries, the system needs a single place where identity, object relationships, and policy meet. Without that, each service becomes a partial authority, and partial authorities create drift. The important point for practitioners is that authorization sprawl is not a coding inconvenience, it is a control failure waiting to happen.

A few things that frame the scale:

  • NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still struggle to maintain an accurate machine-identity inventory.

A question worth separating out:

Q: What is the difference between gateway authorization and centralized authorization?

A: Gateway authorization decides access at the edge and often encodes the result into a token, while centralized authorization keeps the policy decision in a dedicated service that domain services query at runtime. Gateway models are simpler for coarse access, but centralized models handle fine-grained permissions more consistently across service boundaries.

👉 Read our full editorial: Distributed authorization needs a central policy model



   
ReplyQuote
Share: