Authorization in Software

This episode explores the concept of Topaz, an authorization engine that unites policy as code, relationship-based authorization models like Zanzibar, and real-time decision-making. We discuss how Topaz is designed to handle fine-grained authorization, crucial in today's zero-trust environments, by making local decisions over local data. Omri discusses the architecture of Topaz, including its use of Open Policy Agent (OPA) and a triple store model for data.You will gain insight into the challenges of authorization, the importance of keeping data and policies synchronized, and how Topaz addresses these issues. The conversation also touches on the practical aspects of implementing Topaz, such as data source integration, deployment models, and the flexibility it offers for different organizational needs.This episode is essential for anyone interested in the latest trends and tools in software authorization, providing a comprehensive look at how Topaz is paving the way for more secure and efficient application development.

Dive into the world of advanced authorization with Gabriel Manor, Head of DevRel and Growth at Permit.io. In this episode of Authorization in Software, Damian Schenkelman engages Gabriel in a discussion on the Open Policy Authorization Layer, better known as OPAL.Damian and Gabriel delve deep into how OPAL enables a structured and effective approach to authorization. They cover the shift from traditional Role-Based Access Control (RBAC) to the more dynamic Attribute-Based Access Control (ABAC), highlighting the need for granular control in modern application environments.This episode is insightful for those interested in understanding the complexities of policy-based authorization systems. It discusses the challenges and benefits of decoupling authorization policies from application code, emphasizing the importance of streamlined policy management for secure and efficient software development.

In this episode of Authorization in Software, Damian Schenkelman sits down with John Huffaker, Distinguished Engineer at Box. They discuss how Box, a major file-sharing and collaboration platform, approaches authorization.The conversation touches upon:The importance of security for a platform like Box which handles sensitive data for countless users and businesses.A look into the different layers of security, including application  and infrastructure security.The challenges and solutions to ensure that Box remains impenetrableA detailed overview of the multiple layers involved in making different kinds of authorization decisions, from viewing files and folders to understanding user permissions and API accesses.And more...Tune in to get an inside look at the ways Box keeps their customers' data remains safe and the authorization mechanisms they employ to achieve this.

Join Jennifer Wong, a seasoned expert in product management and application security at Workday, as she takes us through a decade-long journey at the forefront of one of the world's leading financial and human capital management software companies. Dive into the complexities of platform solutions and the significance of reusable components, as Jennifer outlines how Workday achieves seamless interoperability, ensuring reduced time-to-value for their customers. Learn how authorization is crucial in a company that is trusted with sensitive data from global corporate giants, and how they maintain its revered industry-standard security, even as it grows through acquisitions. Learn about the nuances of their authorization capabilities, how they adapt to evolving threats, and the underlying principle of Zero Trust. If you're curious about how Workday handles user roles, permissions, and where authorization decisions are made, this episode is a must-listen.

In this episode, host Damian Schenkelman and cybersecurity expert Neil Madden deep dive into the world of macaroons for authorization. Neil starts by distinguishing between JSON Web Tokens (JWT) and macaroons, and shares the origins and unique properties of the latter. They discuss how these Google-invented tokens can enhance security by enabling the addition of conditions, or "caveats", to the token even after it's been issued. The discussion also includes the difference between first-party and third-party caveats, key considerations for implementing macaroons, and how they can be integrated into existing systems like OAuth.

Join us in this episode of Authorization in Software, where we're joined by Atul Tulshibagwale, CTO of SGNL. In an enlightening conversation with our host Damian Schenkelman, Atul dives deep into the concept of Real-Time Authorization, an innovative approach to dynamic access control.This episode sheds light on how Real-Time Authorization operates, continuously assessing and authorizing access based on a variety of dynamically determined factors rather than preassigned privileges. In this ideal scenario, access to resources is granted only when necessary, enhancing security and limiting potential vulnerabilities.

In this episode of Authorization in Software, host Damian Schenkelman talks to Emina Torlak, Senior Principal Applied Scientist at AWS, about the intricacies of software authorization, policies, and the Cedar policy language. Torlak delves into the philosophy behind Cedar, an open-source language for writing and enforcing custom authorization policies. They discuss the need for policy-based access control, how it separates application code from authorization logic, and the importance of user interface in managing authorization.

Jake Byman (Engineer @ CommonRoom), Aish Raj Dahal (Staff Engineer @ Slack) and Damian Schenkelman (Principal Engineer @ Auth0) talk about Role Management at Slack: how authorization at Slack works and how it is implemented.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

In this chat, Damian Schenkelman (Principal Engineer @ Auth0) chats with Alan Yao (Staff Software Engineer @ AirBnB) about Himeji, Airbnb's authorization system inspired on Google Zanzibar. They discuss how Himeji is built, how its flexibility empowers teams when building new features and the alternatives they considered.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

In this episode, Damian Schenkelman (Principal Engineer @ Auth0) and Tim Hinrichs (Co-founder & CTO @ Styra) chat about Rego, OPA and Styra: their history, differences, use cases and what it is like to build Open Policy Agent as open source software.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

In this chat, Damian Schenkelman (Principal Engineer @ Auth0), Aaron Hinrichs and Andy Harb (Senior Engineers @ Carta) chat about AuthZ - Carta's highly scalable permission system inspired by Google Zanzibar. They discuss the authorization challenges at Carta, why they decided to go with a Google Zanzibar like approach and the benefits the company gets from this.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

Damian Schenkelman (Principal Engineer @ Auth0) chats with David Brossard (Senior Director of Identity Product Management @ Salesforce) about the history and current state of authorization in software.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

Damian Schenkelman (Principal Engineer @ Auth0) chats with Bryana Knight and Víctor Roldán Betancort (Staff Engineers at GitHub) about GitHub's Authorization needs, its history, and their future plans.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

Juan Rossi (Platform Security Senior Manager @ Mercado Libre) chats with Damian Schenkelman (Principal Engineer @ Auth0) about dealing with permissions and authorization at Mercado Libre (LATAM biggest e-commerce).Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.

In this audio conversation, Vittorio Bertocci and Damian Schenkelman discuss identity, OAuth2, JSON Web Tokens (JWTs) and what you can and can't do with those for various authorization scenarios.Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at @dschenkelman, or reach the Auth0 team focused on Fine Grained Authorization at @auth0lab.