{"id":5286,"date":"2026-03-12T14:17:55","date_gmt":"2026-03-12T14:17:55","guid":{"rendered":"https:\/\/discovery.cevolution.co.uk\/ciam\/?p=5286"},"modified":"2026-03-19T10:15:34","modified_gmt":"2026-03-19T10:15:34","slug":"auth-in-the-world-of-customer-identity","status":"publish","type":"post","link":"https:\/\/discovery.cevolution.co.uk\/ciam\/2026\/03\/12\/auth-in-the-world-of-customer-identity\/","title":{"rendered":"Auth In The World Of Customer Identity"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 16<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p>In the world of&nbsp;<span class=\"popup-trigger popmake-1185\" data-popup-id=\"1185\" data-do-default=\"0\">Customer Identity and Access Management<\/span>, or CIAM for short, <strong>Authentication<\/strong> (a.k.a. AuthN) and <strong>Authorization<\/strong> (a.k.a AuthZ) are essentially the two sides of the &#8220;Auth&#8221; coin. The distinction between each is fundamental to achieving a successful outcome from both an integration and a security perspective. Yet it is often misunderstood.<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/10085922\/image-6-1024x683.png\" alt=\"\" class=\"wp-image-5420\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/10085922\/image-6-1024x683.png 1024w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/10085922\/image-6-300x200.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/10085922\/image-6-768x512.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/10085922\/image-6.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n\n<p>At first glance, they appear similar, and there is certainly synergy between the two. Both relate to access, both are security controls, and both sit within the identity space. However, in reality, they solve two different problems: Authentication&nbsp;essentially answers the question of&nbsp;<em>\u201cWho are you?\u201d<\/em> whilst, as a corollary, Authorization&nbsp;answers the question of&nbsp;<em>\u201cWhat are you allowed to do?\u201d<\/em><\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Authentication<\/th><th class=\"has-text-align-center\" data-align=\"center\">Authorization<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">Verifies identity<\/td><td class=\"has-text-align-center\" data-align=\"center\">Grants approval<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Executed infrequently<\/td><td class=\"has-text-align-center\" data-align=\"center\">Evaluated repeatedly<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Based on credentials<\/td><td class=\"has-text-align-center\" data-align=\"center\">Based on policy<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Token issuance<\/td><td class=\"has-text-align-center\" data-align=\"center\">Permission validation<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Identity-centric<\/td><td class=\"has-text-align-center\" data-align=\"center\">Context-centric<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\"><em>Auth at a glance<\/em><\/figcaption><\/figure>\n\n\n\n<p>Governance \u2014 often referred to as Identity Governance and Administration, or IGA for short \u2014 also plays a large part. Governance essentially provides process layers that sit&nbsp;<em>above<\/em>&nbsp;core Authentication and Authorization, particularly in Workforce IAM and <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> CIAM scenarios. I&#8217;ll be covering this in more detail in a future article.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-9c21c68b116f73f7b5737c3902e233a1 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In workforce IAM, users are employees, control dominates, and trust boundaries are internal. With CIAM, users are customers, experience dominates, the trust boundary is the public internet and privacy regulations apply.<\/em><\/p>\n<\/div>\n\n\n\n<p>My name&#8217;s <span class=\"popup-trigger popmake-378\" data-popup-id=\"378\" data-do-default=\"0\">Peter Fernandez<\/span>, and in this article, I&#8217;m going to discuss the differences between Authentication and Authorization \u2014 exploring some of the concepts that help drive frictionless customer experiences at scale, whilst maintaining privacy and providing security that&#8217;s robust yet largely invisible.<\/p>\n\n\n\n<h2 id=\"authentication\" class=\"wp-block-heading\">Authentication<\/h2>\n\n\n\n<p>Let&#8217;s start with Authentication \u2014 not least because it&#8217;s the precursor to anything that&#8217;s Auth-related. Authentication is the process of verifying a user\u2019s identity. In a CIAM context, this typically means \u201cyou are who you claim to be,\u201d and involves the likes of:<\/p>\n\n\n\n<ul style=\"margin-right:0;margin-left:0\" class=\"wp-block-list\">\n<li>Username\/password credential validation<\/li>\n\n\n\n<li>Social login (Google, Apple, Facebook)<\/li>\n\n\n\n<li>Passwordless email links<\/li>\n\n\n\n<li>WebAuthn \/ Passkeys<\/li>\n\n\n\n<li>Biometrics<\/li>\n\n\n\n<li>SMS OTP<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>Actually, Authentication isn&#8217;t just about verifying a user&#8217;s identity \u2014 what is typically referred to as a <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">Sign-in\/Login<\/span>. But it is what most folks typically associate with the term. Authentication can, however, also refer to the identification of a non-user context. In a modern landscape, this also includes AI agents (acting on behalf of a user) or otherwise. I&#8217;ll talk more about this in future articles.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-92ba303286d9140ce36fecc279159294 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Authentication covers a wide range: from User Authentication at one end of the spectrum to Machine Authentication \u2014 typically where the identity of some system-level service is concerned \u2014 at the other.<\/em><\/p>\n<\/div>\n\n\n\n<h3 id=\"protocols\" class=\"wp-block-heading\">Protocols<\/h3>\n\n\n\n<p>Unlike Workforce IAM \u2014 where strict controls dominate \u2014 CIAM balances the likes of Security, Privacy and Regulatory Compliance, with usability, simplicity and conversion. To achieve this, Authentication in a CIAM context must offer maximum security, low friction, be resilient to abuse, highly scalable, and be capable of operating in an <span class=\"popup-trigger popmake-2876\" data-popup-id=\"2876\" data-do-default=\"0\">API<\/span>-first architecture.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-ee282cb8ac447bda800936cb861a30f8 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>CIAM Authentication is typically satisfied via SaaS solutions like <a href=\"https:\/\/www.keycloak.org\" target=\"_blank\" rel=\"noopener\" title=\"\">Keycloak<\/a> or third-party providers like <a href=\"https:\/\/fusionauth.io\" target=\"_blank\" rel=\"noopener\" title=\"\">Fusion Auth<\/a>, <a href=\"https:\/\/clerk.com\" target=\"_blank\" rel=\"noopener\" title=\"\">Clerk<\/a>, <a href=\"https:\/\/frontegg.com\" title=\"\">FrontEgg<\/a>, <a href=\"https:\/\/auth0.com\" target=\"_blank\" rel=\"noopener\" title=\"\">Auth0<\/a>, etc. These operate independently of the applications in a typical <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span>\/<span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B <\/span>ecosystem. <\/em><\/p>\n<\/div>\n\n\n\n<h4 id=\"oidc\" class=\"wp-block-heading\">OIDC<\/h4>\n\n\n\n<p>Today, <span class=\"popup-trigger popmake-407\" data-popup-id=\"407\" data-do-default=\"0\">OIDC<\/span>, short for OpenID Connect, is the dominant industry-standard authentication protocol. It&#8217;s built on top of the <span class=\"popup-trigger popmake-467\" data-popup-id=\"467\" data-do-default=\"0\">OAuth 2<\/span> protocol specification (more about that in the section <a href=\"#delgatedauthz\" title=\"\">below<\/a>) and allows an application \u2014 otherwise known as a Client \u2014 to verify identity based on the Authentication performed by an Identity Provider (an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>). It is:<\/p>\n\n\n\n<ul style=\"margin-right:0;margin-left:0\" class=\"wp-block-list\">\n<li>REST-friendly<\/li>\n\n\n\n<li>JSON-based<\/li>\n\n\n\n<li><span class=\"popup-trigger popmake-1393\" data-popup-id=\"1393\" data-do-default=\"0\">ID Token<\/span> centric using <span class=\"popup-trigger popmake-1899 \" data-popup-id=\"1899\" data-do-default=\"0\">JWTs<\/span><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-7f131dafa6b09588ac65bc10fd85e1cc is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst systems that use OAuth 2 (discussed <a href=\"#oauth2\" title=\"\">below<\/a>) can also be used to Authenticate, the predominant mechanism is OIDC. This exacerbates misconceptions, particularly if both use JWT as their token format. <\/em><\/p>\n<\/div>\n\n\n\n<p>OIDC dominates in a CIAM context for a number of different reasons. Being relatively easy to integrate with both Confidential Clients and Public Clients \u2014 such as Mobile Apps and SPAs \u2014 and supporting the likes of Social Login, too, it&#8217;s cloud-friendly (so works well with B2C and B2B type solutions), enables SSO and MFA workflows, and is easily extensible. You can read more about it in my previously published article:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"dcfljULeNp\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/\">OIDC, SAML and OAuth 2.0<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;OIDC, SAML and OAuth 2.0&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/embed\/#?secret=QyhM3hw4K2#?secret=dcfljULeNp\" data-secret=\"dcfljULeNp\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<h4 id=\"saml\" class=\"wp-block-heading\">SAML<\/h4>\n\n\n\n<p>Prior to OIDC, <span class=\"popup-trigger popmake-470\" data-popup-id=\"470\" data-do-default=\"0\">SAML<\/span> dominated the federated identity landscape \u2014 and to a large extent still does in enterprise federation today. SAML, short for Security Assertion Markup Language, is an XML-based protocol used for exchanging authentication data between parties \u2014 typically an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> or an <span class=\"popup-trigger popmake-1629\" data-popup-id=\"1629\" data-do-default=\"0\">SP<\/span> (i.e. Service Provider in the SAML nomenclature).<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-9ca18b35558e7b64ad55027032b806a9 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Federation is the mechanism whereby Authentication can essentially be delegated to an <span class=\"popup-trigger popmake-3363\" data-popup-id=\"3363\" data-do-default=\"0\">Upstream IdP<\/span> (from what&#8217;s typically referred to as a <span class=\"popup-trigger popmake-5184\" data-popup-id=\"5184\" data-do-default=\"0\">Downstream IdP<\/span>). Federation is often used as a shorthand reference to Enterprise Federation, but it can equally apply to <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> as well.<\/em><\/p>\n<\/div>\n\n\n\n<p>Whilst SAML still leverages the concept of an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>, it works differently to OIDC \u2014 crucially, in the respect that it relies on the SAML Assertion (an XML-based document) rather than the JWT format ID Token used in OIDC. Again, you can read more about SAML and the differences between it and OIDC in my article linked above.<\/p>\n\n\n\n<p>Still heavily used in Enterprise <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span> scenarios, SAML is often leveraged in B2B <span class=\"popup-trigger popmake-2946\" data-popup-id=\"2946\" data-do-default=\"0\">SaaS,<\/span> where (Enterprise) Federation is frequently used. It can also be used in scenarios where highly secure trust relationships are required, and where proprietary, in-house IdP implementations are employed. However, for B2C SaaS solutions, as well as more and more B2B ones, OIDC has largely replaced it as the protocol of choice.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-dd7c60f185c70480390336b934a6cc5d is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In most SaaS scenarios, applications themselves will almost always make use of OIDC, preferring to integrate with 3rd-party CIAM (SaaS) solutions that will manage <span class=\"popup-trigger popmake-3363 \" data-popup-id=\"3363\" data-do-default=\"0\">upstream<\/span> SAML requirements.<\/em><\/p>\n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"ldap\">LDAP<\/h4>\n\n\n\n<p>Before federated, token-based authentication became standard, identity was typically directory-based. From this period, three major legacy protocols remain relevant, and it is worth understanding a little of each from a historical perspective. The first of these is LDAP.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-985963be49b315eda8369c6e29db235b is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Legacy Authentication often relies on proprietary techniques that, in many cases, can be integrated with modern standards via proxy mechanisms. This can offer a temporary stopgap, as illustrated in the article <a href=\"https:\/\/auth0.com\/blog\/sso-for-legacy-apps-with-auth0-openid-connect-and-apache\/\" target=\"_blank\" rel=\"noopener\" title=\"\">here<\/a>. <\/em><\/p>\n<\/div>\n\n\n\n<p>Lightweight Directory Access Protocol (LDAP) can be used to query and interact with directory services like legacy Microsoft Active Directory, Open Directory, etc. When using LDAP, Authentication works by:<\/p>\n\n\n\n<ol style=\"margin-right:0;margin-left:0\" class=\"wp-block-list\">\n<li>Binding to a directory<\/li>\n\n\n\n<li>Validating credentials against stored records \u2014 typically a UserID &amp; Password.<\/li>\n<\/ol>\n\n\n\n<p>LDAP is essentially stateful, and being directory-centric is typically focused on leveraging internal-network resources. It lacks support for Federation and has no web-native capability.<\/p>\n\n\n\n<p>Whilst LDAP is rarely utilised in a CIAM context, it is still used in Workforce IAM situations, and can be required as part of (legacy) integration in the Enterprise Federation scenarios common in B2B SaaS. <\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-b63142e275532215d0e3279c4cdfd02a is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In almost all cases, integrating with the IdP provided by most (3rd-party) CIAM SaaS solutions will also provide seamless LDAP interaction from an application perspective.<\/em><\/p>\n<\/div>\n\n\n\n<h4 id=\"kerberos\" class=\"wp-block-heading\">Kerberos<\/h4>\n\n\n\n<p>Another older but historically significant approach to authentication, which is based on trusted ticket exchange, is Kerberos. Originally developed at&nbsp;Massachusetts Institute of Technology&nbsp;(MIT), Kerberos was designed to authenticate users securely across distributed networks without the transmission of passwords. In many ways, it can be thought of as the forerunner to the protocols typically used today.  <\/p>\n\n\n\n<p>Using a\u00a0ticket-based authentication model, a user initially authenticates with a\u00a0KDC (a Key Distribution Centre), which issues a\u00a0Ticket Granting Ticket (TGT)\u00a0after validating the user\u2019s credentials. The TGT can then be used to request\u00a0service tickets\u00a0for specific applications or services. Because the tickets are encrypted and time-limited, Kerberos reduces the risk of credential exposure and replay attacks, not dissimilar to OIDC or SAML.<\/p>\n\n\n\n<p>The use of Kerberos in <span class=\"popup-trigger popmake-1354 \" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span> SaaS is practically unheard of. However, like LDAP (discussed <a href=\"#ldap\" title=\"\">above<\/a>), it can still play a role in <span class=\"popup-trigger popmake-418 \" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS scenarios where enterprise identities need to federate with customer-facing systems.<\/p>\n\n\n\n<h4 id=\"radius\" class=\"wp-block-heading\">RADIUS<\/h4>\n\n\n\n<p>Remote Authentication Dial-In User Service (RADIUS) is a protocol designed for network access authentication. RADIUS uses shared secrets, often integrates with LDAP, and is typically focused on the network-level access typically associated with VPN authentication, WiFi authentication and network access control. In CIAM, it is rarely used, but may appear in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ISP infrastructure<\/li>\n\n\n\n<li>Telecom oriented systems<\/li>\n\n\n\n<li>Network-based services<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-4a7961ab4ae08ec22bf898b27ac14dda is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>RADIUS is primarily classed as a AAA \u2014 as in Authentication, Authorization and Accounting \u2014 protocol, so leveraged in more than just Authentication scenarios.<\/em><\/p>\n<\/div>\n\n\n\n<h3 id=\"mfa\" class=\"wp-block-heading\">MFA<\/h3>\n\n\n\n<p><span class=\"popup-trigger popmake-428 \" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span> \u2014 a.k.a. Multi-factor Authentication, or 2-factor Authentication (2FA) \u2014 complements first-factor authentication to provide additional user security. It typically employs an additional user authentication mechanism \u2014 also known as a factor \u2014 in an attempt to improve the odds of someone actually being who they say they are. <\/p>\n\n\n\n<p>MFA is an excellent deterrent against malicious attacks, where someone else pretends to be a legitimate user, and any number of factors can be combined as part of the user authentication process (and in any permutation, too). MFA can be adaptive, and is frequently used as part of <span class=\"popup-trigger popmake-2262\" data-popup-id=\"2262\" data-do-default=\"0\">step-up authentication<\/span> scenarios as well. You can read more about this in my related article:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"yjBOHjxuZt\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/04\/factoring-mfa-into-the-equation\/\">Factoring MFA into the Equation<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Factoring MFA into the Equation&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/04\/factoring-mfa-into-the-equation\/embed\/#?secret=Jk2sJNZ66S#?secret=yjBOHjxuZt\" data-secret=\"yjBOHjxuZt\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>When using MFA in a CIAM context, the challenge is to combine the use of factors in a way that maximises security whilst minimising impact on usability. <span class=\"popup-trigger popmake-1879 \" data-popup-id=\"1879\" data-do-default=\"0\">Passkeys<\/span>, for example, provide a first-factor authentication method that seamlessly combines Biometrics as a 2nd factor to provide an intuitive, secure Login experience with minimal friction.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-1810cd4612244db9963bae8c37997627 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Factor is the term given to any mechanism for user authentication. First-factor authentication, for example, typically refers to the initial Login whilst multi-factor refers to one or more additional authentication mechanism<\/em> <\/p>\n<\/div>\n\n\n\n<p>MFA can also be used to augment the authentication provided by the <span class=\"popup-trigger popmake-3363\" data-popup-id=\"3363\" data-do-default=\"0\">upstream IdPs<\/span> used in <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> or (Enterprise) Federation scenarios. Even if those systems don&#8217;t provide MFA, or if you want to add an additional layer of protection, say, even on top of <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span>. Most (3rd-party) SaaS CIAM solutions offer MFA as a flexible implementation that can be added adaptively, in either a step-up manner or as part of the initial <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">Login<\/span> workflow.<\/p>\n\n\n\n<h3 id=\"sso\" class=\"wp-block-heading\">SSO<\/h3>\n\n\n\n<p><span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span> \u2014 Single Sign On \u2014 works by leveraging an independent UI, typically via the Browser, to provide application-independent session-level authentication using a trusted (3rd-party) SaaS <span class=\"popup-trigger popmake-415 \" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>. When a user goes to log in for the first time, a successful interaction creates a cookie in the context of the IdP; whenever a user is redirected to the IdP for authentication, if there&#8217;s already a valid cookie, they&#8217;ll simply get redirected back to the application without being prompted for interactive login.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-fb117ed1d804dee69a9a2596bd3e1f99 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>When combined with MFA, participation in interactive step-up authentication scenarios is still possible, even though interactive first-factor authentication is avoided. <\/em> <\/p>\n<\/div>\n\n\n\n<p>SSO significantly reduces interactive authentication, and when leveraged via the likes of (Enterprise) Federation, can even be used to &#8220;automagically&#8221; fill in user profile details without having to prompt the user; a win-win situation, where less user friction means better adoption of a product. Again, you can read more about SSO in my related article:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"gPmRznXMYh\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/05\/the-benefits-of-single-sign-on-sso\/\">The Benefits of SSO in a CIAM Integration<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;The Benefits of SSO in a CIAM Integration&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/05\/the-benefits-of-single-sign-on-sso\/embed\/#?secret=QeAlf7ID6e#?secret=gPmRznXMYh\" data-secret=\"gPmRznXMYh\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<h2 id=\"authorization\" class=\"wp-block-heading\">Authorization<\/h2>\n\n\n\n<p>Where Authentication proves Identity, Authorization determines what that Identity can do (or what can be done on their behalf). Authorization effectively begins immediately after (successful) Authentication ends, and in a CIAM context, essentially equates to &#8220;you may do this,&#8221; handling the likes of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access control<\/li>\n\n\n\n<li>API-to-API access<\/li>\n\n\n\n<li>App-to-API access<\/li>\n\n\n\n<li>Third-party access<\/li>\n\n\n\n<li>Privacy-driven consent<\/li>\n\n\n\n<li>Granular feature permissions<\/li>\n<\/ul>\n\n\n\n<p>Unlike Authentication, there&#8217;s far less in the way of standards when it comes to Authorization. Authorization is more complex \u2014 a quick glance at the table of contents for this article illustrates that \u2014 primarily because it&#8217;s contextual: depending on who you are and what you are trying to do will ultimately determine the authorization mechanism(s) that are brought in to play.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-51c835012f17a7fe808eeaa6b9884add is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst there is commonly accepted standardisation in terms of terminology, patterns and operational concepts, there is far less in the way of protocol standards for Authorization than for Authentication. <\/em><\/p>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"delgatedauthz\">Delegated Authorization<\/h3>\n\n\n\n<p>Delegated Authorization allows one party to act on behalf of another, with either explicit or implicit consent, and is enabled by the industry standard OAuth 2 protocol. Despite common misconceptions, which can often lead to misuse, OAuth 2 is not an authentication protocol, but rather is about granting (limited) access to resources.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"oauth2\">OAuth 2<\/h4>\n\n\n\n<p>As discussed in my previous article &#8220;<a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/\" target=\"_blank\" rel=\"noopener\" title=\"\">OIDC, SAML and OAuth 2.0<\/a>&#8221; (linked above), OAuth 2.0 was first introduced in <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc6749\" target=\"_blank\" rel=\"noreferrer noopener\">RFC 6749<\/a>, which was published in late 2012. Despite popular misconception, it is the standard protocol intended to deal with delegated authorization when using APIs, not Access Control (discussed <a href=\"#accesscontrol\" title=\"\">below<\/a>), as some believe.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-7ccbb18dba78c7c9560bd1c21b7cbd9b is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Services offered by popular (3rd-party) CIAM SaaS providers often bundle IdP and Authorization Server functionality, which again exacerbates misconceptions between OAuth 2 and OIDC \u2014 particularly if both use JWT as their token format. <\/em><\/p>\n<\/div>\n\n\n\n<p>OAuth 2 services are typically provided by what is referred to as an Authorization Server. For example, suppose you log in to a grammar-checking application that works against your Google Docs. As part of your interaction:<\/p>\n\n\n\n<ol style=\"list-style-type:lower-alpha\" class=\"wp-block-list\">\n<li>The app redirects you to Google<\/li>\n\n\n\n<li>You authenticate<\/li>\n\n\n\n<li>You are shown a&nbsp;<strong>consent screen<\/strong><\/li>\n\n\n\n<li>You grant permission to access your Google resources<\/li>\n\n\n\n<li>Google Authorization Server issues an Access Token<\/li>\n\n\n\n<li>The grammar-checking app uses that token to call Google APIs<\/li>\n<\/ol>\n\n\n\n<p>If this sounds familiar, then that&#8217;s not entirely surprising; what I&#8217;ve just described is <em><a href=\"https:\/\/www.grammarly.com\" target=\"_blank\" rel=\"noopener\" title=\"\">Grammarly<\/a><\/em> and how it leverages delegated authorization to gain access to the Google Docs resources in order to perform grammar checking on your behalf \ud83d\ude0e<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-3957ab87293e985c1b6aadc7e83e7602 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst many 3rd-party CIAM SaaS providers do bundle IdP and Authorization Server functionality, solutions like <a href=\"https:\/\/www.authlete.com\/developers\/ciba\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Authlete<\/a> and <a href=\"https:\/\/github.com\/ory\/hydra\" target=\"_blank\" rel=\"noopener\" title=\"\">Ory Hydra<\/a> typically function as discrete Authorization Servers that leverage additional IdP functionality. <\/em><\/p>\n<\/div>\n\n\n\n<h4 id=\"consent\" class=\"wp-block-heading\">Consent<\/h4>\n\n\n\n<p>Consent is a central aspect of Delegated Authorization, and essentially becomes part of authorization Policy in general (more about <a href=\"#policy\" title=\"\">Policy<\/a> a little later). An integral part of OAuth 2, it is the mechanism by which users have direct input on what is being done on their behalf and is key to achieving regulatory compliance (such as <span class=\"popup-trigger popmake-399\" data-popup-id=\"399\" data-do-default=\"0\">GDPR<\/span>, etc). In a CIAM context:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consent must be explicit<\/li>\n\n\n\n<li>Consent must be revocable<\/li>\n\n\n\n<li>Consent must be auditable<\/li>\n\n\n\n<li>Consent must be granular<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-85891a614c3e2b774710ccf3330b0d62 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In many <span class=\"popup-trigger popmake-2946\" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> scenarios, Consent may be implied based on the Authentication mechanism used. For B2B SaaS, as an example, using Enterprise Federation may imply certain consent, so explicit user interaction is not required. <\/em><\/p>\n<\/div>\n\n\n\n<p>In the above grammar-checking example, for instance, you, the user, would explicitly interact with the Google Consent dialogue to delegate authorization to the application acting on your behalf. Such delegation would likely include you authorising access to:  <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Read your Email Address<\/li>\n\n\n\n<li>Read your Basic Profile<\/li>\n\n\n\n<li>Search your Google Drive contents<\/li>\n\n\n\n<li>Read and update your Google Docs<\/li>\n<\/ul>\n\n\n\n<p>Modern CIAM platforms typically track what was consented to, when, under what circumstances, and for what purpose. My previous article, linked below, discusses this in more detail:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"vbwvHWgcTU\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/18\/authorized-consent\/\">Accessing Resources By Consent<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Accessing Resources By Consent&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/18\/authorized-consent\/embed\/#?secret=iUgxFII0gP#?secret=vbwvHWgcTU\" data-secret=\"vbwvHWgcTU\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accesscontrol\">Access Control<\/h3>\n\n\n\n<p>Beyond Delegated Authorization lies access control \u2014 the &#8220;magic&#8221; determining what a user can actually do (in addition to what they have consented to be done on their behalf). Access control typically comes configured via a number of different models, and whilst I will touch on some of the more common ones below, you can read more in my article:<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-4ce98780ecdae54dcecc4b10958b36df is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Models effectively provide different arrangements for which permission can be defined at scale; as the more frequent operation, any evaluation of access ideally needs to be as fast and efficient as possible. <\/em><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"gBPfk8gEdJ\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/18\/authorized-access-control\/\">Access In A Controlled Manner<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Access In A Controlled Manner&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/18\/authorized-access-control\/embed\/#?secret=7vwuUSQEuw#?secret=gBPfk8gEdJ\" data-secret=\"gBPfk8gEdJ\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>Access Control also falls into two distinctive categories. Mandatory Access Control (MAC) \u2014 the most common form \u2014 is where access permissions are determined by a central authority, and cannot be modified by users. MAC is often based on predefined policies that specify what users and systems can access based on varying factors.<\/p>\n\n\n\n<p>In contrast, Discretionary Access Control \u2014  a.k.a. DAC \u2014 offers the owner of a resource the discretion to determine who can access it and to what extent. This allows users or groups to share access (as part of delegation or otherwise) to resources based on personal preferences.<\/p>\n\n\n\n<p>Each differs in terms of how access permissions are granted and how rules are applied to manage user interactions with resources. Each comes with its own set of benefits and challenges, and they can be deployed in various combinations to achieve the desired outcome.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rebac\">ReBAC<\/h4>\n\n\n\n<p>Relationship-based Access Control is a paradigm whereby access is defined by relationship(s) between various objects \u2014 e.g. individual users and the resources provided. It can be used to model extremely complex scenarios, providing a fine-grained approach to access control, that can also be used to emulate many of the capabilities provided by RBAC, ABAC or the other models, facilitating:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access determination at a Relationship level<\/li>\n\n\n\n<li>Access determination at a Record level<\/li>\n\n\n\n<li>Access determination at a Field level<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-e14553ae5cc066eb080e5e4251d5fd78 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Modern Authorization systems, like <a href=\"https:\/\/openfga.dev\" target=\"_blank\" rel=\"noopener\" title=\"\">OpenFGA<\/a> or third-party providers like <a href=\"https:\/\/www.permit.io\" target=\"_blank\" rel=\"noopener\" title=\"\">Permit.io<\/a>, offer ReBAC solutions that integrate either stand-alone or in conjunction with modern IdP\/Authorization Server solutions.  <\/em><\/p>\n<\/div>\n\n\n\n<p>Using relational modelling \u2014 namely, graph-based organisation with object-level permissions \u2014 ReBAC enables the kind of Authorization capability that is critical for things like Marketplace functionality, <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS solution management, and B2C social-style platforms. By way of example, ReBAC facilitates capabilities such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User who can only view their own orders<\/li>\n\n\n\n<li>User that can edit profile but not account status<\/li>\n\n\n\n<li>Support agent who can view orders only from assigned region(s)<\/li>\n<\/ul>\n\n\n\n<h4 id=\"rbac\" class=\"wp-block-heading\">RBAC<\/h4>\n\n\n\n<p>Role-Based Access Control (RBAC) assigns permissions based on the roles users hold within an organization, and is the classic model with which most are familiar. Instead of managing individual permissions, administrators assign users to specific roles, and each role has a set of permissions linked to it; with access to resources being determined based on these roles.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-f605123e6722057332830d3cb13095fe is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Popular (3rd-party) CIAM SaaS providers often bundle rudimentary RBAC as part of IdP functionality, which can further blur the distinction between what is Authentication and what is Authorization. <\/em><\/p>\n<\/div>\n\n\n\n<p>RBAC can be highly effective in <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> scenarios for segmenting usage based on different use cases or subscription levels. RBAC simplifies access control management by organising users based on their role rather than managing permissions individually. For example, users with an &#8220;administrator&#8221; role might have access to features or data which &#8220;user&#8221; level roles do not. In a CIAM context, this can be used to facilitate authorization across the likes of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subscription tiers<\/li>\n\n\n\n<li>Admin consoles<\/li>\n\n\n\n<li>Feature access<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<h4 id=\"abac\" class=\"wp-block-heading\">ABAC<\/h4>\n\n\n\n<p>Attribute-Based Access Control (ABAC) enables access decisions based on a wide range of attributes, including user characteristics, environmental conditions, and resource properties. These attributes can include things like time of day, location, device used, user consent, and more. <\/p>\n\n\n\n<p>Combining ABAC with RBAC or ReBAC, for example, can be highly effective in a CIAM context, providing a dynamic approach to access control based on real-world characteristics. For instance, let&#8217;s suppose access to a resource was requested by a user with a Gold subscription level, from the UK, during business hours, a corresponding policy might say:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Allow access if within business hours AND subscription = Gold AND region = UK<\/p>\n<\/blockquote>\n\n\n\n<p>Use of ABAC supports dynamic, context-aware and increasingly fine-grained control of access, that can provide for things such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regional compliance<\/li>\n\n\n\n<li>Dynamic pricing<\/li>\n\n\n\n<li>Tiered services<\/li>\n\n\n\n<li>Fraud control<\/li>\n<\/ul>\n\n\n\n<h4 id=\"cbac\" class=\"wp-block-heading\">CBAC<\/h4>\n\n\n\n<p>CBAC, otherwise known as Context-based Access Control (or Contextual Access Control), takes ABAC a step further by considering the supplemental context of an access request. This could include situational factors such as the user\u2019s past behaviour, current status, or even the type of operation being performed.<\/p>\n\n\n\n<h4 id=\"pbac\" class=\"wp-block-heading\">PBAC<\/h4>\n\n\n\n<p>Policy-Based Access Control, or PBAC for short, is an access control paradigm where Authorization decisions are driven directly by (dynamic) policies \u2014 the discrete, evaluable rules that form the basis of all Authorization decision making (see <a href=\"#policy\" title=\"\">below<\/a> for more details) \u2014 rather than augmented by static Role assignments or resource ACLs.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-d4d0eabe4f7879e5f2da6a856e8f232d is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Unlike the other models, PBAC doesn&#8217;t define a permission collection per se, but rather operates at the policy level, which itself can consume permission(s) independently. <\/em><\/p>\n<\/div>\n\n\n\n<p>PBAC is often positioned as a superset of RBAC and ABAC: Roles can be modelled as policy inputs, and attribute conditions can be embedded in policy rules \u2014 so it subsumes both without being tied to either paradigm&#8217;s structural constraints.<\/p>\n\n\n\n<p>The practical appeal of PBAC is flexibility and auditability \u2014 policies are explicit, versionable artefacts that can be tested and reviewed independently of application code. The tradeoff is governance overhead: as policy sets grow, keeping them coherent and conflict-free becomes a non-trivial engineering challenge.<\/p>\n\n\n\n<h4 id=\"acls\" class=\"wp-block-heading\">ACLs<\/h4>\n\n\n\n<p>Access Control Lists, abbreviated ACLs for short, can be used as a supplement to define lists of who can access specific resources and what actions can be performed. In a CIAM context, ACLs are used as input to policy and can also be used in combination with the various access control models discussed above.<\/p>\n\n\n\n<p>An ACL is typically comprised of a number of Access Control Entries (or ACEs for short), with each ACE explicitly permitting or denying access to users\/groups. ACLs come in various types \u2014 Discretionary Access Control Lists (DACLs) and System Access Control Lists (SACLs) being the most commonly utilised \u2014 and are explained in more detail in my previously published Access Control article linked above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"policy\">Policy<\/h3>\n\n\n\n<p>Policy is the general term given to the decision-making process within the world of Authorization. At its heart is the idea that some policy &#8220;engine&#8221; \u2014 driven by a set of dynamic and\/or static rules \u2014 is used to evaluate a set of conditions: who is asking permission, what they want to do, what resource is involved, etc. (often with contextual factors like time, location, or device state being included in the equation).<\/p>\n\n\n\n<p>The outcome of policy evaluation is essentially a permit or deny decision, sometimes with obligations attached (such as the required use of MFA, Step-up Authentication, Re-authentication, etc). A policy will often consider aspects such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subscription level<\/li>\n\n\n\n<li>Geography<\/li>\n\n\n\n<li>Risk score<\/li>\n\n\n\n<li>Device trust<\/li>\n\n\n\n<li>Behavioural anomalies<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>Policy leverages both Consent and Access Control, in whatever combination is required, evaluating the express permissions defined to achieve the resulting outcome. Commonly written declaratively \u2014 in as complex or as simple a manner required, combining permission evaluation with functional logic \u2014 for compliance and auditing, policies are typically versioned, testable, and auditable. For instance, a statement like:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>IF role = &#8220;Admin&#8221; THEN grant delete<\/p>\n<\/blockquote>\n\n\n\n<p>or<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>IF user_id = resource_owner THEN allow edit<\/p>\n<\/blockquote>\n\n\n\n<p>forms a simple policy logic that will either permit or deny operation. This can be combined with more complexity that requires elevation of privilege, such as via Step-up Authentication or the like: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>IF  risk_score &gt; 70 THEN require MFA<\/p>\n<\/blockquote>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-b79b0ae14669ecb559ac1a4cfa219b14 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Even the simplest policy logic can quickly become difficult to manage, especially as systems grow and numerous policies are defined. Solutions like <a href=\"https:\/\/www.openpolicyagent.org\" target=\"_blank\" rel=\"noopener\" title=\"\">Open Policy Agent (OPA)<\/a>, for example, typically make policy easier to manage. <\/em><\/p>\n<\/div>\n\n\n\n<p>Policy within any IAM integration is used for permission evaluation across numerous aspects, including such things as API Authorization, Microservices Authorization, and, of course, in support of Zero-trust architecture. Solutions like <a href=\"https:\/\/www.openpolicyagent.org\" target=\"_blank\" rel=\"noopener\" title=\"\">Open Policy Agent (OPA)<\/a> and <a href=\"https:\/\/www.cedarpolicy.com\" target=\"_blank\" rel=\"noopener\" title=\"\">Cedar<\/a> are examples that provide more complex policy processing management. <\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-7b23e5ed2a115b051d86583b5bce33b9 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>OpenFGA sits in related territory, though it is primarily considered a ReBAC solution (as discussed <a href=\"#rebac\" title=\"\">above<\/a>). <\/em><\/p>\n<\/div>\n\n\n\n<h3 id=\"permission\" class=\"wp-block-heading\">Permission<\/h3>\n\n\n\n<p>At the core of Authorization lies the concept of&nbsp;Permission. Permission \u2014 or more precisely &#8220;Permissions&#8221;, as there&#8217;s typically more than one \u2014 represent the explicit right to perform a particular action on a specific resource, and are typically defined as an&nbsp;action\u2013resource relationship, such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>read:orders<\/code>&nbsp;<\/li>\n\n\n\n<li><code>edit:profile<\/code>, or&nbsp;<\/li>\n\n\n\n<li><code>delete:document<\/code> <\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-5a9f30b942b3efb8c8b293a2347fbc05 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst there is no standard for permission definition per se, the generally accepted patterning is <code>&lt;action&gt;:&lt;resource&gt;<\/code>, or in certain cases, <code>&lt;resource&gt;:&lt;action&gt;<\/code>  <\/em><\/p>\n<\/div>\n\n\n\n<p>Permissions are essentially atomic rights \u2014 as in <code>create<\/code>, <code>view<\/code>, <code>update<\/code>, <code>edit<\/code>, <code>delete<\/code>, <code>share<\/code>, etc. \u2014 and often follow a <strong>CRUD<\/strong> pattern (as in <code>Create<\/code>, <code>Read<\/code>, <code>Update<\/code> and <code>Delete<\/code>) for a resource. When a user \u2014 or more specifically the &#8220;subject&#8221; in question \u2014 attempts to perform an operation, evaluation via the use of Policy determines whether he\/she\/it possesses the right to perform the desired action on the designated resource.<\/p>\n\n\n\n<p>Such evaluation may be direct \u2014 where permissions are assigned directly to the user\/subject \u2014 or indirect, where permissions are inherited through&nbsp;access control models, groups and\/or direct policy logic. By carefully defining and assigning permissions, systems can ensure that only the capabilities genuinely required are granted, reducing risk while enabling secure and scalable Authorization. The table below gives some examples of how this granularity of Authorization can vary at different levels within a system:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Level<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Application<\/td><td>Can access the dashboard<\/td><\/tr><tr><td>Function<\/td><td>Can delete account<\/td><\/tr><tr><td>Feature<\/td><td>Can use export function<\/td><\/tr><tr><td>Resource<\/td><td>Can view invoice #123<\/td><\/tr><tr><td>Field<\/td><td>Can see salary field<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 id=\"granularity\" class=\"wp-block-heading\">Granularity<\/h4>\n\n\n\n<p>Permission granularity&nbsp;refers to the level of detail at which permissions are defined and enforced within an Authorization system. This, in turn, determines how precisely authorization rights can be controlled over actions and resources. <\/p>\n\n\n\n<p>At one end of the spectrum are&nbsp;<strong>coarse-grained permissions<\/strong>, where a single permission may grant broad access to an entire system or dataset, such as&nbsp;<code>admin:all<\/code>&nbsp;or&nbsp;<code>read:reports<\/code>. While simple to manage, coarse permissions often risk granting users more access than they actually require.<\/p>\n\n\n\n<p>At the other end are&nbsp;<strong>fine-grained permissions<\/strong>, which break rights down into very specific action\u2013resource combinations. For example, a system might distinguish between&nbsp;<code>read:order<\/code>,&nbsp;<code>update:order_status<\/code>, and&nbsp;<code>refund:order<\/code>. In such cases, permissions may apply not only to a type of resource, but to specific&nbsp;characteristics of that resource \u2014 for instance, allowing a user to update only the orders they created or view only certain attributes within a customer profile.<\/p>\n\n\n\n<p>Granularity plays a crucial role in achieving what is typically referred to as the <em><strong>Principle of Least Privilege<\/strong><\/em> (discussed in more detail <a href=\"#privilege\" title=\"\">below<\/a>). However, increased granularity also introduces greater&nbsp;complexity in management and policy evaluation. Effective Authorization, therefore, seeks to strike a balance where, ultimately, well-designed permission granularity enables precise, scalable, and context-aware access control&nbsp;without overwhelming administration.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"privilege\">Privilege<\/h3>\n\n\n\n<p>Within the Authorization context,&nbsp;Privilege&nbsp;refers to the level of access or control that a subject \u2014 typically a user, or some <span class=\"popup-trigger popmake-2822\" data-popup-id=\"2822\" data-do-default=\"0\">service-level<\/span> process \u2014 has over a particular resource. While&nbsp;<em>permissions<\/em>&nbsp;describe the specific actions that can be performed, privileges represent the broader authority to perform higher-risk or more sensitive operations within a system. <\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-ac6d21b55dc8ced13395dd9d1b4616cb is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Traditionally, the province of B2E solutions, Privilege has become an important factor in B2B SaaS Solutions where integration with corporate systems and administrative policies is commonplace.<\/em><\/p>\n<\/div>\n\n\n\n<p>Privilege often includes administrative capabilities such as modifying configurations, managing other users, accessing sensitive data, or executing system-level commands. Because these capabilities can have a significant impact on security, stability, and data protection, privileges must be carefully governed within a security-robust Authorization ecosystem.<\/p>\n\n\n\n<p>A fundamental concept in managing privilege is the&nbsp;<strong>Principle of Least Privilege (PoLP)<\/strong>. This principle states that a subject (i.e. user, process, etc) should be granted only the minimum level of access required to perform its intended function \u2014 and nothing more. By limiting privileges in this way, organisations reduce the potential attack surface and minimise the damage that can occur if credentials are compromised or misused. <\/p>\n\n\n\n<p>For example, a customer support agent may require permission to view account details but should not necessarily have the privilege to modify system configurations or access financial records. Implementing least privilege typically involves access control that facilitates granular permission definitions with policies that ensure privileges are tightly aligned with job responsibilities.<\/p>\n\n\n\n<h4 id=\"pam\" class=\"wp-block-heading\">PAM<\/h4>\n\n\n\n<p>Privileged Access Management, or PAM for short, helps protect organisations against cyber threats by monitoring, detecting, and preventing unauthorised privileged access to critical resources. PAM works through a combination of people, processes, and technology and gives you visibility into who is using privileged accounts and what they are doing while they are logged in. Limiting the number of users who have access to administrative functions increases system security, while additional layers of protection mitigate data breaches by threat actors.<\/p>\n\n\n\n<p>Certain operational tasks inevitably require elevated privileges. System administrators, DevOps engineers, database administrators, and automated infrastructure services often need higher levels of authority to maintain and operate systems. PAM solutions are designed to control, monitor, and audit the use of privileged accounts; instead of permanently assigning high-level privileges, PAM systems often implement mechanisms such as&nbsp;just-in-time privilege elevation, session monitoring, and detailed activity logging.<\/p>\n\n\n\n<p>In practice, PAM reduces risk by ensuring that privileged access is granted only when necessary and for a limited duration. For instance, an administrator may request temporary elevated privileges to perform a maintenance task, which are automatically revoked once the task is completed. Additionally, PAM systems frequently rotate privileged credentials, preventing direct knowledge of sensitive information by individual users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the world of\u00a0Customer Identity and Access Management, Authentication and Authorization are essentially the two sides of the &#8220;Auth&#8221; coin. Whilst at first glance they seem similar, the distinction between each is fundamental to achieving a successful outcome from both an integration and a security perspective \u2014 yet is often misunderstood.<\/p>\n","protected":false},"author":1,"featured_media":5471,"comment_status":"open","ping_status":"open","sticky":false,"template":"single-posts-with-toc-l4","format":"standard","meta":{"authenticate":"","authentication":"","authenticatedMethod":"","authenticatedMember":"","authorizedPermissions":[],"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[14,8],"tags":[40,72,83,41,21,90,89,17],"class_list":["post-5286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-authentication","category-authorization","tag-access-control","tag-authentication","tag-authorization","tag-consent","tag-mfa","tag-permission","tag-privilege","tag-sso"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2026\/03\/12120911\/create-a-highly-detailed-high-resolution-image-depicting-the-theme-of.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/5286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/comments?post=5286"}],"version-history":[{"count":106,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/5286\/revisions"}],"predecessor-version":[{"id":5521,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/5286\/revisions\/5521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media\/5471"}],"wp:attachment":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media?parent=5286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/categories?post=5286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/tags?post=5286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}