Skill

authorization-design

Design authorization systems (access control, role-based permissions, principle of least privilege) to enforce fine-grained access policies.

From secure-development

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-secure-development

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Principle of Least Privilege: Grant minimum necessary permissions; default deny, explicit allow

Role-Based Access Control (RBAC): Users assigned roles (Admin, Editor, Viewer); roles have permissions

Attribute-Based Access Control (ABAC): Permissions based on attributes (user department, resource owner, time of day)

Capability-Based Access Control: Users hold unforgeable tokens granting access; more fine-grained than RBAC

Instructions

Design Roles & Permissions:

Identify roles (Admin, Moderator, User, Guest)
Define permissions for each resource/action (Read, Write, Delete, Admin)
Assign roles to users; never grant permissions directly

Example:

Admin: Read/Write/Delete all resources
Moderator: Read all; Write/Delete own posts and user-reported content
User: Read all; Write own content; Delete own content
Guest: Read public content only

Implement Least Privilege:

Default deny; explicitly grant permissions
Users get minimum necessary role; not Admin by default
Service accounts: create per-service accounts with narrow permissions (not shared root account)
Time-bound permissions: grant temporary elevated access for specific tasks, then revoke

Enforce Authorization Checks:

Check authorization on every action, not just page load
Check on API endpoints; never trust client-side authorization
Verify user owns resource before allowing delete: if (post.owner_id != current_user.id) { deny }
Check both object ownership and global permissions (user might be forbidden from resource)

Prevent Common Authorization Bypasses:

Insecure Direct Object Reference (IDOR): Verify user owns /posts/{post_id} before returning
Parameter Tampering: Don't trust client-provided role or permission parameters
Vertical Escalation: Don't assume "user" role can't access "admin" pages; enforce on every page
Horizontal Escalation: Verify user can only access own resources (own profile, own posts)

Audit Authorization Decisions:

Log permission denials (possible reconnaissance or attack)
Alert on privilege escalation attempts
Regular review of role assignments (who has admin access?)

Anti-Patterns

Hard-coding authorization in UI (hiding admin button from users); client-side authorization is not authorization; always check server-side

Checking authorization only on page load; check on every action; a token might become invalid mid-session

Allowing "root" or "admin" accounts for service-to-service communication; create service accounts with minimal necessary permissions

Permanently assigning high-privilege roles; use temporary elevation with time limits and audit trails

Trusting role names from JWT/API response; always verify against backend permission store; JWT can be forged if signing key is compromised

Domain Context

Principle of Least Privilege: Grant minimum necessary permissions; default deny, explicit allow

Role-Based Access Control (RBAC): Users assigned roles (Admin, Editor, Viewer); roles have permissions

Attribute-Based Access Control (ABAC): Permissions based on attributes (user department, resource owner, time of day)

Capability-Based Access Control: Users hold unforgeable tokens granting access; more fine-grained than RBAC

Instructions

Design Roles & Permissions:

Identify roles (Admin, Moderator, User, Guest)
Define permissions for each resource/action (Read, Write, Delete, Admin)
Assign roles to users; never grant permissions directly

Example:

Admin: Read/Write/Delete all resources
Moderator: Read all; Write/Delete own posts and user-reported content
User: Read all; Write own content; Delete own content
Guest: Read public content only

Implement Least Privilege:

Default deny; explicitly grant permissions
Users get minimum necessary role; not Admin by default
Service accounts: create per-service accounts with narrow permissions (not shared root account)
Time-bound permissions: grant temporary elevated access for specific tasks, then revoke

Enforce Authorization Checks:

Check authorization on every action, not just page load
Check on API endpoints; never trust client-side authorization
Verify user owns resource before allowing delete: if (post.owner_id != current_user.id) { deny }
Check both object ownership and global permissions (user might be forbidden from resource)

Prevent Common Authorization Bypasses:

Insecure Direct Object Reference (IDOR): Verify user owns /posts/{post_id} before returning
Parameter Tampering: Don't trust client-provided role or permission parameters
Vertical Escalation: Don't assume "user" role can't access "admin" pages; enforce on every page
Horizontal Escalation: Verify user can only access own resources (own profile, own posts)

Audit Authorization Decisions:

Log permission denials (possible reconnaissance or attack)
Alert on privilege escalation attempts
Regular review of role assignments (who has admin access?)

Anti-Patterns

Hard-coding authorization in UI (hiding admin button from users); client-side authorization is not authorization; always check server-side

Checking authorization only on page load; check on every action; a token might become invalid mid-session

Allowing "root" or "admin" accounts for service-to-service communication; create service accounts with minimal necessary permissions

Permanently assigning high-privilege roles; use temporary elevation with time limits and audit trails

Trusting role names from JWT/API response; always verify against backend permission store; JWT can be forged if signing key is compromised

authorization-design

authorization-design

Authorization Design

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Authorization Design

Context

Domain Context

Instructions

Anti-Patterns

Further Reading