Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Admin time authorization vs runtime checks: where static access breaks


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Admin time authorization assigns roles and permissions before access is attempted, which keeps enterprise access predictable, auditable, and easy to govern, according to Cerbos. The static model still matters, but it breaks down when context, risk, and lifecycle changes outpace periodic reviews and role updates.

NHIMG editorial — based on content published by Cerbos: admin time authorization and runtime access control

Questions worth separating out

Q: How should organisations combine admin time authorization with runtime policy?

A: Use admin time authorization for baseline roles and groups, then apply runtime policy for context-sensitive decisions such as device trust, location, and sensitive resources.

Q: When does admin time authorization create more risk than it reduces?

A: It becomes risky when roles are used to encode exceptions, temporary access, or fine-grained conditions that should be evaluated at request time.

Q: What do security teams get wrong about static access assignments?

A: Teams often assume that a role assignment proves least privilege, when it really only proves that access was approved at a point in time.

Practitioner guidance

  • Keep roles coarse and purpose-built Limit each role to a stable business function and avoid encoding exceptions, location rules, or time-based conditions into role names.
  • Move contextual decisions into runtime policy Apply dynamic checks for sensitive access, temporary entitlements, and requests that depend on device posture, location, or resource attributes.
  • Tie joiner-mover-leaver events to entitlement removal Make role updates and deprovisioning part of the identity lifecycle, not a separate cleanup exercise.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

  • A worked comparison of role-based access control and attribute-based access control in application code.
  • Example policy patterns for mixing admin time roles with runtime checks in enterprise systems.
  • The article's scenario-level explanation of how regulated industries use access assignments for auditability.
  • A deeper walkthrough of how Cerbos positions static and dynamic authorization together in developer workflows.

👉 Read Cerbos's analysis of admin time authorization and runtime checks →

Admin time authorization vs runtime checks: where static access breaks?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Admin time authorization remains the governance anchor for baseline access, but it is not a complete authorisation model. The article is right to distinguish pre-assigned entitlements from dynamic decision-making, because that split maps to a real operational boundary in IAM. Static roles give auditors a clear record of who was granted what, but they do not answer whether the access is still appropriate at the moment of use. For practitioners, the implication is that admin time authorization should define the floor, not the ceiling, of access control.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why static authorization without governance discipline leaves hidden access paths in place.

A question worth separating out:

Q: Who should own role reviews and entitlement cleanup?

A: IAM or IGA teams should own the control design, but managers and application owners should validate whether the entitlement still matches business need. That shared model is what makes access certification useful, because governance only works when technical ownership and business accountability both exist.

👉 Read our full editorial: Admin time authorization is still the baseline for enterprise access



   
ReplyQuote
Share: