Select Page

With the incredible advances we’ve seen in the realm of access control, the Sitecore Headless and Composable Platform provides a robust foundation to develop the most flexible, powerful, and, yes, composable platform-based modern data security stack. While authentication, or verifying user identity, continues to be a boolean operation, authorizing users in real time has undergone a major transformation. The time of monolithic frameworks and platforms is fading away; now, in the world of microservices, decoupled, and composable architecture, a new way of looking at application permissions is required. Row-level data security across platforms, regardless of type of data store is essential.

Many organizations today are challenged to keep their decoupled, distributed, and composable apps’ data compatible with Zero Trust principles across arrays of environments, from on-premises to multi-cloud to apps and microservices. This necessitates organizations to rethink how to secure their digital data across platforms in a consistent way. In this blog post, we will explore a strategy for applying modern application authorization principles with Zero Trust as a base to design a modern secure distributed digital experiences.

The Start: Zanzibar as a Foundation for Implementing Fine Grained Authorization

Since Google published the Zanzibar: Google’s Consistent, Global Authorization System paper in 2019, describing a graph-based authorization model that execute graphical relationships between users and resources, the popularity of such systems has been growing exponentially. Unfortunately, Google’s Zanzibar is not an open-source framework but rather an explanation of how Google handles the complex authorization of its products(Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube.). As such, implementing Zanzibar-like Authorization could be a daunting task if done purely based on Zanzibar principles. The paper, however, proposes a flexible and scalable authorization framework that can accommodate various authorization models. It emphasizes the importance of a generic and granular authorization system that can support diverse authorization models while providing consistency and scalability across different services and applications. Modern Zanzibar-inspired Systems typically based on one or few of the following Authorization Models:

  • Single Property Authorization
    • Role-Based Access Control (RBAC)
      • Manages access based on roles assigned to
      • users (roles are groups of permissions)
  • Fine-Grain Authorization
    •  Attribute-Based Access Control (ABAC)
      • Manages access based on user or resource
      • attributes (e.g. location, department)
    • Relationship-Based Access Control (ReBAC)
      • Manages access based on relationships and
      • hierarchies between users and resources
    • Policy-Based Access Control(PBAC)
      • offers granular control over access permissions
      • policy engine that drives authorization in a centralized and controlled way

Selecting the appropriate authorization model involves evaluating the need for granularity, scalability, performance, and complexity to develop. In most cases, multiple models should be used to achieve business goals.  Let’s see what we need to consider before we choose a product or develop a security design pattern based on the above authorization models  

The Goal: Modern Authorization Across Diverse Digital Products and Platforms

In today’s interconnected digital reality, securing our data across various platforms is crucial. Our objective should be to establish a dynamic framework for data authorization based on the modern securty principles:

  • Access Review: Regular assessments ensure that only authorized individuals have appropriate access to resources.
  • Change Management: Structured processes govern modifications to systems, minimizing risks and disruptions.
  • Auditable: All actions are documented and traceable, ensuring transparency and compliance.
  • Reliable, Scalable, and Performant: Systems are dependable, capable of handling growth, and operate efficiently.
  • Zero Trust: This security model assumes no entity is inherently trustworthy, requiring continuous verification of all accesses.
  • Policy/Centralized: Centralized rules dictate access permissions, ensuring consistency and control across the organization. Authorization should be decoupled from the application (e.g., using IsAuthorized over custom in-app logic).

Once we establish these goals and align them with authorization models relevant to our business, it is time to identify patterns for implementation. Before diving into custom designs, we should conduct thorough research and consider existing products. Since the release of the Zanzibar paper, several platforms have been launched by major players in the app security field, and new vendors have emerged, each offering unique advantages and benefits. Based on our business needs, we should evaluate these options to find the best fit. Here is a list of a few to consider:


“Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. Your team and organization can avoid the cost, time, and risk that come with building your own solution to authenticate and authorize users.”


Originally developed by Auth/Okta as an open-source framework: “OpenFGA is an open-source authorization solution that allows developers to build granular access control using an easy-to-read modeling language and friendly APIs.”


“Authzed is a company that creates tools for businesses to provide scalable authorization for their applications. Authzed is based on Google’s Zanzibar white paper and is the world’s first multi-tenant permissions system as a service.”

Amazon Verified Permissions (based on Cedar Policy Language)

“With Verified Permissions, developers can build more secure applications faster by externalizing authorization and centralizing policy management. They can also align application access with Zero Trust principles. Security and audit teams can also better analyze and audit who has access to what within applications.”

The Sitecore: Composable Application and Data Security

It is common for Sitecore-generated content to be used outside of the respective systems. Many organizations utilize Sitecore’s products, such as Content Hub DAM, Sitecore XP and XM CMSs, OrderCloud and CDP, to generate internal data that can be used within each Sitecore product and often serve as a source of truth for other composable and decoupled products. Whether the data is used by a respective product or externally, addressing Zero Trust and other security principles is crucial.

Fortunately, implementing modern authorization in Sitecore products is a straightforward process. This begins with a new Data Security Strategy to ensure a consistent approach for handling data across systems and platforms. In Sitecore, we consider two constructs: data consumers, such as Headless or Sitecore Personalize, and data creators, such as various content systems(CMS, DAM, Commerce, etc). Data consumers require a fast and reliable way to obtain authorization in real-time for each individual item, while data creators need to structure each atomic piece of content with consistent security tagging and mechanisms to ensure proper ownership of the content. While content tagging depends on the product, permission validation should be considered a standalone composable capability that encapsulates all validation logic, thus reducing complexity within each individual data consumer application.


With the rise of composable architectures, the Sitecore Headless and Composable Platform provides a robust foundation for modern data security. Transitioning from monolithic frameworks to a composable approach necessitates new perspectives on application permissions and row-level data security.

Key Recommendations:

  • Adopt Modern Authorization Models: Use flexible and scalable models inspired by Google’s Zanzibar, such as ABAC, ReBAC, RBAC and PBAC.
  • Integrate Zero Trust Principles: Implement continuous verification, regular access reviews, and structured change management processes.
  • Utilize Proven Authorization Solutions: Leverage platforms like Okta/Auth0, OpenFGA, AuthZed, and Amazon Verified Permissions for robust authorization capabilities.
  • Centralize Authorization Policies: Establish centralized, decoupled authorization rules to ensure consistency and control.
  • Implement a Consistent Data Security Strategy: Standardize security tagging and permission validation across all data producers to maintain data integrity and ownership.