Big ACL Sign up
Docs Pricing Contact
Log in

Big ACL for Devs

Big ACL for Developers

Big ACL helps you keep authorization logic explicit, testable, and decoupled from application code. Instead of scattering role checks and conditionals across controllers and services, you rely on a policy model evaluated by a dedicated Policy Decision Point (PDP).

PAP, PDP, and PEP in practice

From a developer point of view:

  • PAP (Policy Administration Point) — where policies are defined, reviewed, versioned, and tested. Big ACL is the PAP.
  • PDP (Policy Decision Point) — a component or service that evaluates a policy for a given request (principal, action, resource, context) and returns ALLOW or DENY.
  • PEP (Policy Enforcement Point) — code in your app (filters, interceptors, annotations) that calls the PDP and enforces its decision.

Where OpenID AuthZEN fits

OpenID AuthZEN aims to standardize how clients express authorization requests and obtain decisions or decision tokens. For developers, this means:

  • One consistent way to describe “who does what on which resource”.
  • Interoperability between different PDPs and enforcement components.
  • Less custom plumbing when integrating a policy engine into your apps.

Big ACL focuses on the policy model (PAP) and can feed PDPs that follow standards such as AuthZEN. Your application code only needs to integrate with the chosen PDP / SDK.

Example: Spring Security with annotations and an external PDP

Controllers stay declarative using @PreAuthorize, while a small PEP layer calls the external PDP.

ProjectController.java


@RestController
@RequestMapping("/projects")
public class ProjectController {

    private final AuthorizationService authz;
    private final ProjectService service;

    public ProjectController(AuthorizationService authz, ProjectService service) {
        this.authz = authz;
        this.service = service;
    }

    @GetMapping("/{projectId}")
    @PreAuthorize("@authz.check(authentication, 'READ', 'PROJECT', #projectId)")
    public ProjectDto getProject(@PathVariable String projectId) {
        return service.get(projectId);
    }

    @DeleteMapping("/{projectId}")
    @PreAuthorize("@authz.check(authentication, 'DELETE', 'PROJECT', #projectId)")
    public void delete(@PathVariable String projectId) {
        service.delete(projectId);
    }
}

AuthorizationService.java


@Service
public class AuthorizationService {

    private final PolicyDecisionClient pdp;

    public AuthorizationService(PolicyDecisionClient pdp) {
        this.pdp = pdp;
    }

    public boolean check(Authentication auth, String action, String resource, String id) {
        return pdp.isAllowed(auth, action, resource, id);
    }

}