CIAM.wiki

Fine-grained authorization

Authentication decides who you are. Authorization decides what you can do once you are in. For consumer and B2B products, the second question gets complicated fast: per-resource sharing, organization roles, delegated access, and now AI agents acting on a user’s behalf. Coarse roles stop being enough.

The models, in order of power

  • RBAC (role-based): permissions attached to roles. Simple, and the right default for many apps.
  • ABAC (attribute-based): decisions evaluate attributes of the user, resource, and context (department, region, time, risk).
  • ReBAC (relationship-based): permissions derived from relationships between objects, the Google Zanzibar model, well suited to per-resource sharing (“users who are editors of this document”).

Most products start at RBAC and hit a wall when customers ask for granular, per-resource, or cross-tenant sharing.

Where platform-native authorization ends

CIAM platforms ship roles and sometimes basic policies, which covers a lot. When you need relationship-based permissions at scale, externalized policy as code, or a single decision point across many services, teams reach for a dedicated authorization engine. The options range from open-source (OpenFGA, SpiceDB, Cedar) to managed services; browse them in the authorization lane of the market map. The emerging AuthZEN standard from the OpenID Foundation aims to make the app-to-engine decision call interoperable.

What to ask a CIAM vendor

  • Which models are supported: RBAC, ABAC, ReBAC, or a mix?
  • Is authorization externalized as policy, or hard-coded per application?
  • Can it evaluate per-resource and relationship-based permissions, not just global roles?
  • What is the decision latency at scale, and is there a single decision point across services?
  • Does it support, or have a path to, the AuthZEN interoperability standard?

The buyer takeaway: pick the simplest model that covers your sharing and tenancy needs, and externalize authorization before it is scattered across every service. See the Authentication & Authorization capability domain, then run the vendor matcher.