Three Strategies

Options for Access Control

  • Restrict the URI space — only certain people can even construct the URL (fragile, bypassable).
  • Restrict the API call — application or gateway checks roles before calling the data layer (common, but creates the PEP staleness problem).
  • Protect the data itself — the data platform enforces scope on every read and write, using live, consistent policy evaluation (the data-centric approach).

Application-centrism let us cheat. Data-centric systems remove the cheat codes.