ASVS Requirement 8.3.3

• Level: 3
• Chapter: V8 Authorization
• Section: V8.3 Operation Level Authorization
• Source: 0x17-V8-Authorization.md

Description

Verify that access to an object is based on the originating subject's (e.g. consumer's) permissions, not on the permissions of any intermediary or service acting on their behalf. For example, if a consumer calls a web service using a self-contained token for authentication, and the service then requests data from a different service, the second service will use the consumer's token, rather than a machine-to-machine token from the first service, to make permission decisions.