Authorization in microservice architecture, P0: Introduction
Implementing Authorization in Public Safety Products
Implementing an effective authorization system in a microservice architecture is challenging due to the absence of standard guidelines. This blog post outlines the journey my team and I undertook to modernize our authorization system at Axon during our transition from a monolithic system. In 2021, we successfully deployed a new system, which has been running smoothly since.
The post aims to share my learning and decision-making processes involved in building an enterprise authorization solution. The information is also drawn from publicly available sources. Many of them are relevant to the period before 2021. I hope this serves as a valuable reference for other companies facing similar challenges.
Axon provides law enforcement technology solutions, including TASER devices, body cameras, and digital evidence management systems. Security is the top priority for these products, which handle sensitive data such as video evidence and personal information. Access management and data protection are essential to maintaining public trust, ensuring legal compliance, and protecting the integrity of law enforcement operations.
Within an Identity and Access Management (IAM) system, authorization acts as the gatekeeper, determining access control and enforcing the actions a user or system can perform on specific resources. Axon initially implemented authorization features at product launch. However, as customer demands grew and the business expanded, managing permissions became increasingly complex. This complexity led to performance issues and potential security vulnerabilities.
As the system evolved beyond a monolithic codebase, single database, and basic role structure, the fragmentation of authorization data and logic made the old access control methods unsuitable. Moreover, ensuring a shared understanding of access control across multiple stakeholders – including product managers, audit teams, engineering teams, and QA – was also difficult. These factors combined to make introducing new features or modifying permissions increasingly cumbersome. To support the company's next phase of scaling, a new approach to effectively manage access control was needed
Read details in the following four parts:
Part 1: The Motivation to Change
Part 2: The Approaches
Part 3: The Policy Language
Part 4: Production Deployment