Stats
Actions
Tags
From prodsec-skills
Enforces authorization checks for external data source access in AI systems, covering read/write/delete permissions and least privilege principles.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:authorizationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
It MUST be verified that the principal accessing an external data source has permissions to access or modify the data. Authentication alone (knowing who the principal is) is not sufficient; authorization (what they can do) must also be enforced.
It MUST be verified that the principal accessing an external data source has permissions to access or modify the data. Authentication alone (knowing who the principal is) is not sufficient; authorization (what they can do) must also be enforced.
| Operation | Authorization Check |
|---|---|
| Read data | Does the principal have read permission for this specific data? |
| Write data | Does the principal have write permission? |
| Modify schema | Does the principal have administrative permissions? |
| Delete data | Does the principal have delete permission? |
| Bulk export | Does the principal have permission for bulk data access? |
Each AI system component should have only the minimum data access permissions needed:
| Component | Typical Permissions |
|---|---|
| RAG ingestion pipeline | Read-only on source data |
| Inference engine | No direct data source access (goes through RAG) |
| Agent with data tools | Read-only unless write is explicitly required |
| Admin/maintenance jobs | Broader access, time-limited and audited |
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsGuides selection and implementation of authorization models including RBAC, ABAC, ACL, ReBAC, and policy-as-code for permission systems and access control design.
Enforces deny-by-default authorization at every resource access point using RBAC or ABAC patterns. Use when implementing access control decisions for APIs, web apps, or services.
Enforces standard authentication (OAuth, mTLS, Kerberos) for external data source connections from AI systems. Use when integrating or reviewing authenticated access to databases, APIs, or services.