Identity != Permissions

Authorization is hard - and authorization is often conflated with authentication and identity. We think that tightly coupling "Identity and Access Management" in a single solution is the wrong approach. These two concerns should be clearly separated.

As your software becomes more complex, not maintaining this separation leads to problems. Back in 2016 we wrote a blog post that expressed this concern.

Identity + Permissions == Authorization

Identity is universal, whereas permissions are application specific. This is why the identity system should not define permissions.

Instead, identity should be one of the inputs to an authorization system. The combination of identity and an application-specific policy produces the actual permissions for an application.

While there are many ways to model authorization, we found that the concept of roles and permissions to be the most prevalent. Please watch the below recording from NDC London 2018 to get the full background.


This is why we have developed "PolicyServer", which is an implementation of the above pattern.

We offer two versions of PolicyServer.

One version is a free OSS version that has all the necessary patterns and libraries to achieve the separation of authentication and authorization for a single application.

The other version is a commercial product which supports multiple applications, advanced scenarios (including policy hierarchies), a central repository for storing policies, and a management UI and API.