A novel access control model, designed to support multi-client, microservice systems is proposed in this paper.

The increasingly popular microservice architecture decomposes systems into a set of small, independent, interoperating components. It enables easier software changes and allows developers to focus on individual elements of the system without the cognitive effort of understanding the entire system operation. In addition, recent shifts in software delivery methods, in particular high-velocity, agile development, continuous integration, and small cross-functional teams improve the efficiency and time to market.

A number of access control models has been developed over the last fifty years in response to evolving requirements and applications of software. We observe that traditional access control mechanisms are not easily adaptable to rapidly changing software landscape. In this paper, we look into why today's modern software requires a different approach to access control. We provide an insight into the problems of integrating traditional models and why it can undermine the development efficiency, design simplicity, and overall security. We present an access control model designed to align with contemporary, cloud, microservice-based software, enhancing separation of concerns and service isolation. Finally, we share our experience in implementing the model and adopting it in an enterprise product, potential future enhancements, and challenges.