Unifying 8 Fragmented Authorization Systems into One Secure Service

The Problem

A UK property transaction platform processing 450,000 transactions annually faced a critical security and performance challenge. Authorization logic was scattered across eight different services, each implementing access control differently.

The Complexity

Property transactions involve intricate multi-hierarchy relationships:

• Individual users belong to branches
• Branches sit within districts
• Districts within brands
• Brands within organisations
• Organisations are assigned as participants to transactions with role-based permissions

Every consumer service had direct read/write access to both organisation and transaction databases. This created:

• Security risk: No centralised control over who accessed what
• Inconsistency: Eight different interpretations of "authorized"
• Maintenance burden: Changes required updating multiple services
• Performance issues: Redundant queries and no optimisation

Our Approach

We designed and implemented a unified authorization service supporting three complementary models:

1. Role-Based Access Control (RBAC)

Traditional role assignments for standard permissions.

2. Fine-Grained Access Control (FGAC)

Granular permissions beyond simple roles.

3. Relational Authorization

The key innovation: a user's access to a transaction depends on their relationship to a branch, which has a relationship to a participant, which has a role in the transaction.

Implementation

• Single NuGet interface for all consuming services
• Centralised permission evaluation removing direct database access
• Query optimisation with strategic indexing for production-scale data
• Backward compatibility layer to support gradual migration from legacy implementations

The core implementation took 2-3 weeks. The subsequent effort to maintain backward compatibility with eight legacy approaches took three months - a deliberate investment to avoid a risky big-bang migration.