Three Strategies
Options for Access Control
- Restrict the URI space — only certain people can even construct the URL (fragile, bypassable).
- Restrict the API call — application or gateway checks roles before calling the data layer (common, but creates the PEP staleness problem).
- Protect the data itself — the data platform enforces scope on every read and write, using live, consistent policy evaluation (the data-centric approach).
Application-centrism let us cheat. Data-centric systems remove the cheat codes.