{"id":50389716,"url":"https://github.com/mahdavipanah/authorization-model","last_synced_at":"2026-05-30T17:34:00.840Z","repository":{"id":358444230,"uuid":"1241427570","full_name":"mahdavipanah/authorization-model","owner":"mahdavipanah","description":"Authorization model specification — roles, permissions, scopes, and policy evaluation.","archived":false,"fork":false,"pushed_at":"2026-05-17T12:24:22.000Z","size":155,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-17T13:34:27.618Z","etag":null,"topics":["auth0","authorization","permission","rbac"],"latest_commit_sha":null,"homepage":"https://mahdavipanah.github.io/authorization-model/","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mahdavipanah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-17T11:29:42.000Z","updated_at":"2026-05-17T12:24:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mahdavipanah/authorization-model","commit_stats":null,"previous_names":["mahdavipanah/authorization-model"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mahdavipanah/authorization-model","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mahdavipanah%2Fauthorization-model","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mahdavipanah%2Fauthorization-model/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mahdavipanah%2Fauthorization-model/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mahdavipanah%2Fauthorization-model/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mahdavipanah","download_url":"https://codeload.github.com/mahdavipanah/authorization-model/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mahdavipanah%2Fauthorization-model/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33703065,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","authorization","permission","rbac"],"created_at":"2026-05-30T17:33:59.973Z","updated_at":"2026-05-30T17:34:00.835Z","avatar_url":"https://github.com/mahdavipanah.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"public/readme-header.png\" alt=\"Authorization model header\" width=\"480\"\u003e\n\u003c/p\u003e\n\n# Authorization Model Specification\n\nThis repository contains a **portable, normative specification** for how authorization decisions are expressed and evaluated. Any application or service may adopt it; the canonical document is [`authorization-spec.md`](authorization-spec.md).\n\n## What this specification defines\n\nThe spec covers roles, permissions, and policy evaluation. It is intended for teams building Policy Decision Points (PDPs), Policy Enforcement Points (PEPs), or operators who define or audit access control in their own systems.\n\n**In scope:**\n\n- Structure of roles and the permission statements they contain\n- Principals to which roles may be bound\n- Scopes in which roles take effect\n- The evaluation algorithm a PDP follows when ruling on a request\n\n**Out of scope:** authentication, token issuance, identity provisioning, and transport security.\n\n## Design principles\n\n| Principle | Summary |\n| --- | --- |\n| **Default-deny** | If no permission explicitly grants an action, the action is denied. |\n| **Deny-overrides** | When grants and denials apply to the same request, denials win. |\n| **Explicit over implicit** | Authority comes only from permission statements, not from role names or convention. |\n| **Decision / enforcement separation** | PDP logic is independent of PEP call sites; services ask, they do not embed business rules. |\n| **Auditability** | Every non-trivial decision is loggable with enough context to reconstruct it. |\n\n## Model at a glance\n\nA request is authorized if and only if, after evaluating every applicable permission, the result is `allow`.\n\n```\nPrincipal ──bound (within Scope)──▶ Role ──contains──▶ Permission ──▶ allow | deny\n```\n\nCore entities:\n\n- **Principal** — `user`, `service_account`, or `client`\n- **Scope** — built-in, organization, or project tier (roles apply within a scope and inherit downward)\n- **Role** — named bundle of permission statements (e.g. `auditor`, `editor`, `billing-admin`)\n- **Binding** — explicit `(principal, role, scope)` assignment; nothing else confers permissions\n- **Permission statement** — atomic claim targeting organization, service, resource, optional field/ID, effect, and action\n\nPermissions use a compact string grammar (suitable for JWT claims) and are evaluated with default-deny and deny-overrides semantics. See the spec for the full grammar, EBNF, validation rules, worked examples, and decision logging requirements.\n\n## Repository layout\n\n| Path | Purpose |\n| --- | --- |\n| `authorization-spec.md` | Source-of-truth specification |\n| `src/pages/index.astro` | Renders the spec as HTML at build time |\n| `.github/workflows/deploy.yml` | Builds and deploys to GitHub Pages on push to `main` |\n\n## Reading and editing the spec\n\n- **Read:** open [`authorization-spec.md`](authorization-spec.md) in this repo, or use the published site after deployment (see below).\n- **Change:** edit `authorization-spec.md`, commit, and push; the site rebuilds automatically when GitHub Actions is configured.\n\n## Site rendering and deployment\n\nThis repo also includes a small [Astro](https://astro.build/) site that turns the markdown spec into a static HTML page for easier reading on the web.\n\n### How it works\n\n- `authorization-spec.md` is the single source of truth.\n- `src/pages/index.astro` reads that file and converts markdown to HTML at build time.\n- `.github/workflows/deploy.yml` builds `dist/` and deploys to GitHub Pages when you push to `main`.\n\n### Local development\n\n- Install dependencies: `npm install`\n- Start dev server: `npm run dev`\n- Build production output: `npm run build`\n- Preview build locally: `npm run preview`\n\n### Publishing on GitHub Pages\n\n1. Create a GitHub repository and push this project to the `main` branch.\n2. In GitHub, open **Settings \u003e Pages**.\n3. Set **Source** to **GitHub Actions**.\n4. Push a commit to `main` (or run the workflow manually from the Actions tab).\n5. After deploy finishes, the site is available at:\n   - `https://\u003cgithub-username\u003e.github.io/\u003crepository-name\u003e/`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmahdavipanah%2Fauthorization-model","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmahdavipanah%2Fauthorization-model","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmahdavipanah%2Fauthorization-model/lists"}