Admin time authorization vs runtime checks: where static access breaks

TL;DR: Admin time authorization assigns roles and permissions before access is attempted, which keeps enterprise access predictable, auditable, and easy to govern, according to Cerbos. The static model still matters, but it breaks down when context, risk, and lifecycle changes outpace periodic reviews and role updates.

NHIMG editorial — based on content published by Cerbos: admin time authorization and runtime access control

Questions worth separating out

Q: How should organisations combine admin time authorization with runtime policy?

A: Use admin time authorization for baseline roles and groups, then apply runtime policy for context-sensitive decisions such as device trust, location, and sensitive resources.

Q: When does admin time authorization create more risk than it reduces?

A: It becomes risky when roles are used to encode exceptions, temporary access, or fine-grained conditions that should be evaluated at request time.

Q: What do security teams get wrong about static access assignments?

A: Teams often assume that a role assignment proves least privilege, when it really only proves that access was approved at a point in time.

Practitioner guidance

• Keep roles coarse and purpose-built Limit each role to a stable business function and avoid encoding exceptions, location rules, or time-based conditions into role names.
• Move contextual decisions into runtime policy Apply dynamic checks for sensitive access, temporary entitlements, and requests that depend on device posture, location, or resource attributes.
• Tie joiner-mover-leaver events to entitlement removal Make role updates and deprovisioning part of the identity lifecycle, not a separate cleanup exercise.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• A worked comparison of role-based access control and attribute-based access control in application code.
• Example policy patterns for mixing admin time roles with runtime checks in enterprise systems.
• The article's scenario-level explanation of how regulated industries use access assignments for auditability.
• A deeper walkthrough of how Cerbos positions static and dynamic authorization together in developer workflows.

👉 Read Cerbos's analysis of admin time authorization and runtime checks →

Admin time authorization vs runtime checks: where static access breaks?

Explore further

View Full Forum →  |  NHI Foundation Course →