{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T02:31:15Z","timestamp":1760149875594,"version":"build-2065373602"},"reference-count":55,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2023,9,19]],"date-time":"2023-09-19T00:00:00Z","timestamp":1695081600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Software"],"abstract":"<jats:p>Microservices have emerged as a prevalent architectural style in modern software development, replacing traditional monolithic architectures. The decomposition of business functionality into distributed microservices offers numerous benefits, but introduces increased complexity to the overall application. Consequently, the complexity of authorization in microservice-based applications necessitates a comprehensive approach that integrates authorization as an inherent component from the beginning. This paper presents a systematic approach for achieving fine-grained user authorization using Attribute-Based Access Control (ABAC). The proposed approach emphasizes structure preservation, facilitating traceability throughout the various phases of application development. As a result, authorization artifacts can be traced seamlessly from the initial analysis phase to the subsequent implementation phase. One significant contribution is the development of a language to formulate natural language authorization requirements and policies. These natural language authorization policies can subsequently be implemented using the policy language Rego. By leveraging the analysis of software artifacts, the proposed approach enables the creation of comprehensive and tailored authorization policies.<\/jats:p>","DOI":"10.3390\/software2030019","type":"journal-article","created":{"date-parts":[[2023,9,20]],"date-time":"2023-09-20T01:32:50Z","timestamp":1695173570000},"page":"400-426","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["User Authorization in Microservice-Based Applications"],"prefix":"10.3390","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-0507-7195","authenticated-orcid":false,"given":"Niklas","family":"S\u00e4nger","sequence":"first","affiliation":[{"name":"Research Group Cooperation & Management, Karlsruhe Institute of Technology, 76131 Karlsruhe, Germany"}]},{"given":"Sebastian","family":"Abeck","sequence":"additional","affiliation":[{"name":"Research Group Cooperation & Management, Karlsruhe Institute of Technology, 76131 Karlsruhe, Germany"}]}],"member":"1968","published-online":{"date-parts":[[2023,9,19]]},"reference":[{"key":"ref_1","unstructured":"Swoyer, M., and Loukides, S. (2023, June 20). Microservices Adoption in 2020. Available online: https:\/\/www.oreilly.com\/radar\/microservices-adoption-in-2020\/."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"e779","DOI":"10.7717\/peerj-cs.779","article-title":"Microservice Security: A Systematic Literature Review","volume":"7","author":"Berardi","year":"2022","journal-title":"PeerJ Comput. Sci."},{"key":"ref_3","unstructured":"solo.io (2023, August 24). Microservices, Kubernetes and Istio\u20142022 Adoption Trends. Available online: https:\/\/www.solo.io\/resources\/infographic\/microservices-kubernetes-and-istio-2022-adoption-trends\/pdf\/."},{"key":"ref_4","unstructured":"Newman, S. (2015). Building Microservices: Designing Fine-Grained Systems, O\u2019Reilly Media. [1st ed.]."},{"key":"ref_5","unstructured":"Fielding, R.T. (2000). Architectural Styles and the Design of Network-Based Software Architectures. [Ph.D. Thesis, University of California]."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1145\/2080.357392","article-title":"Implementing Remote Procedure Calls","volume":"2","author":"Birrell","year":"1984","journal-title":"ACM Trans. Comput. Syst."},{"key":"ref_7","unstructured":"Open API Initiative (2023, August 24). Open API Specification\u2014v3.1.0. Available online: https:\/\/spec.openapis.org\/oas\/v3.1.0."},{"key":"ref_8","unstructured":"Google LLC All (2023, August 24). Protocol Buffers Documentation. Available online: https:\/\/protobuf.dev\/programming-guides\/proto3\/."},{"key":"ref_9","first-page":"432","article-title":"Designing Microservice-Based Applications by Using a Domain-Driven Design Approach","volume":"10","author":"Hippchen","year":"2017","journal-title":"Int. J. Adv. Softw."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Wohlgemuth, V., Naumann, S., Behrens, G., and Arndt, H.K. (2022). Advances and New Trends in Environmental Informatics, Springer International Publishing.","DOI":"10.1007\/978-3-030-88063-7"},{"key":"ref_11","unstructured":"OWASP Foundation (2023, July 15). OWASP Top 10:2021. Available online: https:\/\/owasp.org\/Top10\/."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"de Almeida, M.G., and Canedo, E.D. (2022). Authentication and Authorization in Microservices Architecture: A Systematic Literature Review. Appl. Sci., 12.","DOI":"10.3390\/app12063023"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"544","DOI":"10.1002\/wics.106","article-title":"Computer Security","volume":"2","author":"Gollmann","year":"2010","journal-title":"WIREs Comput. Stat."},{"key":"ref_14","first-page":"285","article-title":"Fine-Grained Access Control for Microservices","volume":"Volume 11358","author":"Bonfante","year":"2019","journal-title":"Proceedings of the 11th International Symposium (FPS 2018)"},{"key":"ref_15","first-page":"204","article-title":"ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications","volume":"Volume 13121","author":"Hacid","year":"2021","journal-title":"Proceedings of the 19th International Conference (ICSOC 2021)"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Yarygina, T., and Bagge, A.H. (2018, January 26\u201329). Overcoming Security Challenges in Microservice Architectures. Proceedings of the 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), Bamberg, Germany.","DOI":"10.1109\/SOSE.2018.00011"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Devanbu, P., and Stubblebine, S. (2000, January 4\u201311). Software Engineering for Security: A Roadmap. Proceedings of the Conference on the Future of Software Engineering, Limerick, Ireland.","DOI":"10.1145\/336512.336559"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Busch, M., Koch, N., Masi, M., Pugliese, R., and Tiezzi, F. (2012, January 1\u20135). Towards Model-Driven Development of Access Control Policies for Web Applications. Proceedings of the Workshop on Model-Driven Security, Innsbruck, Austria.","DOI":"10.1145\/2422498.2422502"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1007","DOI":"10.1080\/17517575.2018.1462403","article-title":"RESTsec: A Low-Code Platform for Generating Secure by Design Enterprise Services","volume":"12","author":"Zolotas","year":"2018","journal-title":"Enterp. Inf. Syst."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Brossard, D., Gebel, G., and Berg, M. (2017, January 24). A Systematic Approach to Implementing ABAC. Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control\u2014ABAC \u201917, Scottsdale, AZ, USA.","DOI":"10.1145\/3041048.3041051"},{"key":"ref_21","unstructured":"(2015). JSON Web Token (JWT). Standard No. RFC 7519. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc7519."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1109\/35.312842","article-title":"Access Control: Principle and Practice","volume":"32","author":"Sandhu","year":"1994","journal-title":"IEEE Commun. Mag."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Kizza, J.M. (2015). Guide to Computer Network Security, Springer.","DOI":"10.1007\/978-1-4471-6654-2"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006, January 30). Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA.","DOI":"10.1145\/1180405.1180418"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"171","DOI":"10.1007\/978-3-642-45404-2_12","article-title":"Fine-Grained Role- and Attribute-Based Access Control for Web Applications","volume":"Volume 411","author":"Cordeiro","year":"2013","journal-title":"Software and Data Technologies"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/2.485845","article-title":"Role-Based Access Control Models","volume":"29","author":"Sandhu","year":"1996","journal-title":"Computer"},{"key":"ref_27","unstructured":"Elliott, A., and Knight, S. (2010, January 12\u201315). Role Explosion: Acknowledging the Problem. Proceedings of the 2010 International Conference on Software Engineering Research & Practice (SERP 2010), Las Vegas, NE, USA."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Aftab, M.U., Qin, Z., Ali, S., and Khan, J. (2018, January 14\u201316). The Evaluation and Comparative Analysis of Role Based Access Control and Attribute Based Access Control Model. Proceedings of the 2018 15th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP), Chengdu, China.","DOI":"10.1109\/ICCWAMTIP.2018.8632578"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., and Scarfone, K. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations.","DOI":"10.6028\/NIST.SP.800-162"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Yuan, E., and Tong, J. (2005, January 11\u201315). Attributed Based Access Control (ABAC) for Web Services. Proceedings of the IEEE International Conference on Web Services (ICWS\u201905), Orlando, FL, USA.","DOI":"10.1109\/ICWS.2005.25"},{"key":"ref_31","unstructured":"(2023, June 20). eXtensible Access Control Markup Language (XACML) Version 3.0. Available online: http:\/\/docs.oasis-open.org\/xacml\/3.0\/xacml-3.0-core-spec-os-en.html."},{"key":"ref_32","unstructured":"(2008). Augmented BNF for Syntax Specifications: ABNF. Standard No. RFC 5234. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc5234.html."},{"key":"ref_33","unstructured":"(1999). Hypertext Transfer Protocol\u2014HTTP\/1.1. Standard No. RFC 2616. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc2616?data1=dwnsb4B&data2=abmurltv2b."},{"key":"ref_34","unstructured":"(2012). The OAuth 2.0 Authorization Framework. Standard No. RFC 6749. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc6749."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Chandramouli, R. (2019). Security Strategies for Microservices-Based Application Systems.","DOI":"10.6028\/NIST.SP.800-204"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Banati, A., Kail, E., Karoczkai, K., and Kozlovszky, M. (2018, January 21\u201325). Authentication and Authorization Orchestrator for Microservice-Based Software Architectures. Proceedings of the 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia.","DOI":"10.23919\/MIPRO.2018.8400214"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1007\/978-3-030-04834-1_2","article-title":"Policy Engineering in RBAC and ABAC","volume":"Volume 11170","author":"Samarati","year":"2018","journal-title":"From Database to Cyber Security"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1186\/s42400-018-0019-2","article-title":"Automated Extraction of Attributes from Natural Language Attribute-Based Access Control (ABAC) Policies","volume":"2","author":"Alohaly","year":"2019","journal-title":"Cybersecurity"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Narouei, M., Khanpour, H., Takabi, H., Parde, N., and Nielsen, R. (2017, January 21\u201323). Towards a Top-down Policy Engineering Framework for Attribute-based Access Control. Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies, Indianapolis, IN, USA.","DOI":"10.1145\/3078861.3078874"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Fatemian, A., Zamani, B., Masoumi, M., Kamranpour, M., Ladani, B.T., and Rahimi, S.K. (2021, January 28\u201329). Automatic Generation of XACML Code Using Model-Driven Approach. Proceedings of the 2021 11th International Conference on Computer Engineering and Knowledge (ICCKE), Mashhad, Iran.","DOI":"10.1109\/ICCKE54056.2021.9721518"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Talukdar, T., Batra, G., Vaidya, J., Atluri, V., and Sural, S. (2017, January 15\u201317). Efficient Bottom-Up Mining of Attribute Based Access Control Policies. Proceedings of the 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC), San Jose, CA, USA.","DOI":"10.1109\/CIC.2017.00051"},{"key":"ref_42","unstructured":"Lethbridge, T.C., and Laganiere, R. (2005). Object-Oriented Software Engineering, McGraw-Hill."},{"key":"ref_43","unstructured":"Cockburn, A. (1999). Writing Effective Use Cases, Pearson Education India."},{"key":"ref_44","first-page":"53","article-title":"Engineering Security Requirements","volume":"2","author":"Firesmith","year":"2003","journal-title":"J. Object Technol."},{"key":"ref_45","unstructured":"Cloud Native Computing Foundation (2023, March 16). Open Policy Agent (OPA). Available online: https:\/\/www.cncf.io\/projects\/open-policy-agent-opa\/."},{"key":"ref_46","unstructured":"Cloud Native Computing Foundation (2023, March 16). Open Policy Agent: Documentation. Available online: https:\/\/www.openpolicyagent.org\/docs\/latest\/."},{"key":"ref_47","unstructured":"Envoy Project (2023, April 24). Envoy Documentation: What Is Envoy?. Available online: https:\/\/www.envoyproxy.io\/docs\/envoy\/latest\/intro\/what_is_envoy."},{"key":"ref_48","unstructured":"(2023, July 04). Traefik Enterprise Middleware: OPA\u2014Traefik Enterprise. Available online: https:\/\/doc.traefik.io\/traefik-enterprise\/middlewares\/opa\/."},{"key":"ref_49","unstructured":"Schneider, M., Zieschinski, S., Klechorov, H., Brosch, L., Schorsten, P., Abeck, S., and Urbaczek, C. (2021, January 3\u20137). A Test Concept for the Development of Microservice-based Applications. Proceedings of the The Sixteenth International Conference on Software Engineering Advances (IARIA), Barcelona, Spain."},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Wohlin, C., Runeson, P., H\u00f6st, M., Ohlsson, M.C., Regnell, B., and Wessl\u00e9n, A. (2012). Experimentation in Software Engineering, Springer.","DOI":"10.1007\/978-3-642-29044-2"},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Throner, S., Hutter, H., Sanger, N., Schneider, M., Hanselmann, S., Petrovic, P., and Abeck, S. (2021, January 23\u201326). An Advanced DevOps Environment for Microservice-based Applications. Proceedings of the 2021 IEEE International Conference on Service-Oriented System Engineering (SOSE), Oxford, UK.","DOI":"10.1109\/SOSE52839.2021.00020"},{"key":"ref_52","unstructured":"Cloud Native Computing Foundation (2023, August 24). Helm Documentation. Available online: https:\/\/helm.sh\/docs\/."},{"key":"ref_53","unstructured":"Burns, B., and Oppenheimer, D. (2016, January 20\u201321). Design Patterns for Container-Based Distributed Systems. Proceedings of the 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16), Denver, CO, USA."},{"key":"ref_54","unstructured":"Envoy Project (2023, March 29). Envoy Documentation: HTTP Filters\u2014External Authorization. Available online: https:\/\/www.envoyproxy.io\/docs\/envoy\/v1.26.3\/api-v3\/extensions\/filters\/network\/ext_authz\/v3\/ext_authz.proto,."},{"key":"ref_55","doi-asserted-by":"crossref","first-page":"9947347","DOI":"10.1155\/2021\/9947347","article-title":"Migrating to Zero Trust Architecture: Reviews and Challenges","volume":"2021","author":"Teerakanok","year":"2021","journal-title":"Secur. Commun. Netw."}],"container-title":["Software"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2674-113X\/2\/3\/19\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T20:53:55Z","timestamp":1760129635000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2674-113X\/2\/3\/19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,19]]},"references-count":55,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,9]]}},"alternative-id":["software2030019"],"URL":"https:\/\/doi.org\/10.3390\/software2030019","relation":{},"ISSN":["2674-113X"],"issn-type":[{"type":"electronic","value":"2674-113X"}],"subject":[],"published":{"date-parts":[[2023,9,19]]}}}