Abstract: An authorization is performed based on data types—an authorization model, and relationship tuples—that are applicable across different organizations. Each organization wishing to use a system for authorization specifies its own authorization models representing types of objects that can exist within the organization and types of relations those objects can have. When a given organization submits an authorization query to determine whether a given user and a given object are in a given type of relation within that organization, the system analyzes the authorization model and relationship tuples to make the determination. Query response latency may be reduced through techniques such as geographic distribution of servers and sharding of data so that the data for a given query can be found within the same shard.

Abstract: An authorization system provides authorization services for multiple tenant organizations. The authorization is performed based on standardized data types—an authorization model, and relationship tuples—that are applicable across the different organizations. Each organization wishing to use the system for authorization specifies its own authorization model(s) (representing the types of objects that can exist within the organization, and which types of relations those objects can have) and relationship tuples (representing the existing user/object relationships within the organization). When a given organization submits an authorization query to determine whether a given user and a given object are in a given type of relation within that organization (e.g., whether the user can perform a particular action on the object), the system analyzes the authorization model and relationship tuples to make the determination.