Authorization design considerations

Authorization refers to the permission given to the users to access and view information in the application. It is important to grant only the minimum necessary access to perform the required tasks. This principle applies to both you and developers.  

As you are designing your authorization scheme:

• Create a matrix that outlines Access Roles, privileges, and attributes that need to be secured. Determine whether to use role-based access controls (RBAC), attribute-based access controls (ABAC), or both in your authorization scheme. Client-based access control (CBAC) and basic access control are the other authorization models that provide different yet complementary functionality to RBAC and ABAC. For more information, see Authorization. 
• When defining access groups, use the Deny Rule security mode. Some organizations enforce a deny-first policy where users must have explicit privileges to access certain information. If your application has similar requirements, review the usage of the Rule Security Mode setting on each access group. 
• Define security for reports, attachments, and background processes. Background processes such as job schedulers need an associated access group. 
• Secure developer access by limiting administrator rights to only the necessary developers. Additionally, your organization might have restrictions on which developers are authorized to create activity Rules or SQL connector Rules. 
• Ensure that developers cannot update passwords for other users. 

Check your knowledge with the following interaction: