This section discusses authorization implementation strategies. Authorization is the process of granting access to resources according to a defined policy. Keep in mind that authentication is the process of verifying if a user or another system is who they claim they are, authorization deals with what a certain user can do.

Authorization mechanisms can be implemented in many ways depending on the specific requirements of an application. Some applications use a basic public/private approach (like the one we have used so far in this chapter) where the policy is as simple as checking if a user is authenticated in order to grant access to a certain UI component. Other applications may require multiple roles, each one with a different set of permissions. Moreover, a user may have multiple roles at the same time and those roles could change at runtime. And to make it a bit more complicated, a role could define a set of permissions that could also change at runtime.

Depending on the complexity of the authentication rules that your application must support, you would use one or another approach to authorization. Let's discuss some of them, which, hopefully, will inspire you and give you ideas about how to implement an authorization mechanism suitable for your application.