Roles and groups have determined who is allowed to do what for over 40 years. The model is simple, proven – and increasingly insufficient. RBAC decides statically: once assigned, always authorized. Context-dependent decisions at runtime? Not a chance. And implicit permissions like "I'm an admin, so I can do anything" are not just inelegant, they're a security risk.

The future belongs to dynamic authorization methods like policy-based and relationship-based access control. Instead of rigid role assignments, policies decide at runtime based on context, relationships and attributes whether access is granted – per resource, per request. Every permission is explicitly proven and verifiable.

In this talk, I put the concepts behind PBAC, ReBAC and ABAC into perspective and show how AuthZEN, a new standard by the OpenID Foundation, standardizes communication between authorization components. Using concrete examples, I demonstrate what a modern authorization architecture can look like.

The goal: authorization that doesn't ask "who are you?" but "what can you prove?".