authorization-models

# Authorization Models Skill

## Overview

This skill provides comprehensive guidance on authorization models and access control patterns. Authorization determines what authenticated users can do within a system.

**Key Principle:** Authorization should be declarative, centralized, and auditable.

## When to Use This Skill

- Designing a permission system from scratch
- Choosing between RBAC, ABAC, ACL, or ReBAC
- Implementing policy-as-code with OPA
- Migrating from simple role checks to fine-grained authorization
- Implementing the principle of least privilege
- Designing multi-tenant authorization
- Building a Zanzibar-style permission system

## Authorization Model Comparison

| Model | Best For | Complexity | Scalability | Flexibility |
|-------|----------|------------|-------------|-------------|
| **ACL** | File systems, simple resources | Low | Medium | Low |
| **RBAC** | Enterprise apps, clear job roles | Medium | High | Medium |
| **ABAC** | Complex policies, dynamic rules | High | High | High |
| **ReBAC** | Social graphs, document sharing | Medium-High | Very High | High |

## Quick Decision Tree

```text
Need authorization model?
├── Simple resource ownership?
│   └── ACL (Access Control Lists)
├── Clear organizational roles?
│   └── RBAC (Role-Based Access Control)
├── Complex, context-dependent rules?
│   └── ABAC (Attribute-Based Access Control)
└── Relationship-based access (sharing, hierarchies)?
    └── ReBAC (Relationship-Based Access Control)
```

## Role-Based Access Control (RBAC)

### Core Concepts

```csharp
/// <summary>
/// Fine-grained permissions for RBAC.
/// </summary>
[Flags]
public enum Permission
{
    None = 0,
    Read = 1,
    Create = 2,
    Update = 4,
    Delete = 8,
    Admin = 16,
    Approve = 32,
    Publish = 64,

    // Common combinations
    ReadWrite = Read | Update,
    Editor = Read | Create | Update,
    FullAccess = Read | Create | Update | Delete | Admin
}

/// <summary>
/// Role with associated permissions.
///