How Authorization Works

Squizy's authorization system controls what authenticated callers can do. It is built around Role-Based Access Control (RBAC), where permissions are never assigned directly to users — instead, they flow through a layered hierarchy: authorities define granular permissions, roles group authorities into named profiles, and users are assigned one or more roles.

App Tokens follow a different model: they have authorities assigned directly, bypassing roles entirely. This gives administrators precise control over what each token can access.

At runtime, every API request is evaluated against the caller's effective authority set. The framework resolves these authorities automatically and enforces access before the operation reaches your code.

Sections

• RBAC — how authority resolution works and the access evaluation pipeline
• Authorities — granular permissions auto-generated from your entity model
• Roles — named groups of authorities that define access profiles
• Security Annotations — entity-level and field-level access restrictions
• App Tokens — programmatic API access with directly assigned authorities