Tag Archives: authorization

Who or What Requires Authorization?

There are many definitions of authorization, but the one in RFC 4949 has the benefit of brevity.

“An approval that is granted to a system entity to access a system resource.”

Non-person Entities Require Authorization

Note that it uses the word “entity.” It does NOT use the word “person.” Because the entity requiring authorization may be a non-person entity.

I made this point in a previous post about attribute-based access control (ABAC), when I quoted from the 2014 version of NIST Special Publication 800-162. Incidentally, if you wonder why I use the acronym NPE (non-person entity) rather than the acronym NHI (non-human identity), this is why.

“A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes.”

If you have a process to authorize people, but don’t have a process to authorize bots, you have a problem. Matthew Romero, formerly of Veza, has written about the lack of authorization for non-human identities.

“Unlike human users, NHIs operate without direct oversight or interactive authentication. Some run continuously, using static credentials without safeguards like multi-factor authentication (MFA). Because most NHIs are assigned elevated permissions automatically, they’re often more vulnerable than human accounts—and more attractive targets for attackers. 

“When organizations fail to monitor or decommission them, however, these identities can linger unnoticed, creating easy entry points for cyber threats.”

Veza recommends that people use a product that monitors authorizations for both human and non-human identities. And by the most amazing coincidence, Veza offers such a product.

People Require Authorization

And of course people require authorization also. They need authorization:

It’s not enough to identify or authenticate a person or NPE. Once that is done, you need to confirm that this particular person has the authorization to…launch a nuclear bomb. Or whatever.

Your Customers Require Information on Your Authorization Solution

If your company offers an authorization solution, and you need Bredemarket’s content, proposal, or analysis consulting help, talk to me.

Non-citizen REAL ID Expiration Dates Calculated Incorrectly in California

Remember my post that noted an error in Slashdot and Reason reporting about REAL IDs for non-citizens?

No, you don’t have to be a citizen to get a REAL ID.

But your REAL ID is tied to your authorization to be in the United States, and expires on the same date as your authorization to be here.

Well, that’s how it’s supposed to work.

In California, the date calculations (based upon 2006 legacy code) were screwed up for 300,000 legal residents.

“The error overrode the correct expiration date, which should have matched the end of the cardholder’s authorized stay in the United States. Under federal rules, immigrants with legal status — including permanent residents, green card holders and visa holders — are eligible for REAL IDs, but the cards’ expiration dates must align with the length of their authorized stay.”

Except when they don’t.

And for those who believe that granting REAL IDs to non-citizens is an example of California breaking the law:

  1. The DHS approved California’s REAL IDs in April 2019 under President Trump.
  2. Check reliably red South Dakota’s REAL ID requirements.

“If you’re not a U.S. citizen, you must apply in person at a state driver exam station and provide a U.S. Citizenship and Immigration document proving your lawful status in the U.S.”

Biscuit-based Identity Authentication and Authorization

Some of us authenticate ourselves to unlock our smartphones. Others authenticate to access confidential corporate information. A few authenticate to wield the power to annihilate the world.

The football and the biscuit

In the United States, the President (Commander-in-Chief) has a “biscuit.”

Google Gemini.

“The nuclear biscuit is a card with authentication codes that acts as the President’s personal key to unlocking America’s nuclear arsenal.

“The biscuit acts a lot like a two-factor authentication device or app. Its codes are updated regularly, and it works in connection with the nuclear football to verify the President’s identity. Without the biscuit, the President can’t order a nuclear strike, even if they have the football itself.”

Factors of authentication

Here are the three authentication factors that the biscuit reportedly uses.

“Something you have is quite an obvious one, you needed to have the actual Biscuit and the codes within. 

“Something you know is when you opened the Biscuit. It had many codes printed on the cards and all were false apart from one. The President would have been told the position of the real code when he first took office. He would also be told each time the Biscuit was changed. 

“For something you are, the phone line the President would need to contact has no number. It can only be contacted via a secure military phone. This phone would be handed to the President by one of his security team who would obviously not hand this phone to anyone but the President.”

Now you can argue that the phone line is not a TRUE something you are factor. A devious security team member could hand the phone to someone who SOUNDS like the President.

And there’s another complication.

Passing the football

Let’s say that a President is away from Washington. Say, at a school in Florida.

And all of a sudden attacks are launched in multiple U.S. cities.

What if an attack were launched in Florida, incapacitating the President, either temporarily of permanently?

In such an attack, the country and the world cannot afford to wait for hours for the football to be flown to wherever Richard Cheney is. 

U.S. National Archives. Link.

The solution? Two footballs (at least).

“Believing that the vice president should be a partner in national security policymaking, President Jimmy Carter assigned a football to Vice President Walter Mondale and this became the practice for future U.S. administrations.”

Outside the U.S. Russia has a similar system called the “Cheget,” and other nuclear countries presumably have similar procedures to authenticate the persons or persons authorized to launch nuclear weapons.

Your football and biscuit

If you are an identity vendor or customer, you may have your own authentication and authorization procedures. While a breach of your procedures won’t result in the annihilation of civilization, it could create its own damage.

Do you need help describing the security of your identity solution?

Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

A Frost Radar for the Bots

There appears to be a Frost Radar for everything…including non-person entities, or NPEs (a/k/a non-human identities, or NHIs).

And Descope is talking about the NHI Frost Radar.

Los Altos, CA, November 13, 2025 – Descope, the drag & drop external IAM platform, today announced that it has been recognized as a Leader in the 2025 Frost Radar™ for Non-Human Identity (NHI) Solutions, further validating Descope’s fast growth and innovation in the agentic identity space.”

The product that Frost & Sullivan recognized is Decsope’s Agentic Identity Hub

“…an industry-first platform that helps organizations solve authentication and authorization challenges for AI agents, systems, and workflows. Notable additions include providing apps an easy way to become agent-ready while requiring user consent, providing agents a scalable way to connect with 50+ third-party tools and enterprise systems, and helping developers using the Model Context Protocol (MCP) protect their remote MCP servers with purpose-built authorization APIs and SDKs.”

So how does the Frost Radar work?

“The Frost Radar™ is a robust analytical tool that allows us to evaluate companies across two key indices: their focus on continuous innovation and their ability to translate their innovations into consistent growth.”

It uses four classifications.

Frost classificationWhat it meansWhat it REALLY means
Growth and Innovation LeadersHigh innovation (Y axis) and growth (X axis)Good
Innovation LeadersHigh innovationStagnant growth
Growth LeadersHigh growthStagnant innovation
ChallengersLow growth and innovationStagnant everything

So a “Leader” could lead in some things, but not in others.

Even Descope’s announcement includes a Frost Radar picture that indicates that Descope may be a leader, but others (such as Saviynt and Veza) may be more leaderly.

But I guess it’s better to be some sort of “leader,” or even a “challenger,” then to not be recognized at all.

Google Gemini.

HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough

How many people should use a SaaS service? If your answer is “only one,” you don’t need to read this post.

Last month I discussed a particular use case in which AI-based non-person entities (NPEs) were bound to the identities of carbon-based life forms. My post “Identity-Bound Non-Person Entities” reviewed the partnership between Anonybit and SmartUp. 

This binding doesn’t need artificial intelligence to work. The NPE may be something as simple as a service.

But how many people can be bound to an NPE?

A company and its service

There is a very large technology company; I won’t reveal the company name, but its initials are HP. And this very large company provides a service; I won’t reveal the service name, but it instantly provides ink for the company’s printers…

Never mind. It turns out that I already discussed HP Instant Ink (Ink as a Service) in the Bredemarket blog before. Plus, the company providing IaaS is no longer known as “the Hewlett-Packard Company,” but as “HP Inc.” So much for my attempts at obfuscation.

The 1:1 binding between me and Instant Ink

Anyway, we did sign up for Instant Ink when we purchased a new printer. Specifically, my HP account was registered as the owner of our Instant Ink account.

(Those of you with a keen eye can already see where this is going.)

As part of the Instant Ink service that we purchased, I can obtain two things:

1. The status of Instant Ink shipments to us

Not that these shipments are all that fast. 

So far we have encountered two instances in which we ran out of ink before the new Instant Ink shipment arrived. 

And when you put a regular ink cartridge into the printer while waiting for the Instant Ink shipment, HP sends a nasty gram stating that I put the wrong ink in the printer, and to put Instant Ink in the printer right now. 

Um, my Instant Ink is in Pennsylvania, and it will take 10 days to reach California. What am I supposed to do, fly to Pennsylvania and get it?

2. HP support

For our printer, I can obtain support from HP. I will have more to say about HP support later.

First person…or people

Do all of you see the issue now? If not, let me spell it out.

I am married, and my wife and I bought the printer together. But she has no access to shipment tracking or support; only I do.

Actually, I must confess that I gave her my HP login and password. So she has access to the shipment tracking information. But since her name is not John, we assumed that HP would never talk to her about the Instant Ink service that we purchased.

There is something in the (so-called) HP Smart App that allows me to “invite” someone to the printer. But when I tried to “invite” my wife, HP briefly flashed a message saying that I could not invite my wife because she already had an HP personal account.

I need support

By this time I had piled up 3 support requests for HP:

  1. How can I get new Instant Ink before my old Instant Ink runs out?
  2. How can my wife see information on our Instant Ink service?
  3. Plus there’s a third one regarding multiple HP accounts that I won’t get into here.

I decided to tackle the second support request first. So I found the support page, started a gust, and got a ticket number.

The first support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

The Instant Ink person asked for the error code that appeared when I tried to “invite” my wife. I explained that I didn’t know because it disappeared so quickly.

So I tried to invite my wife again, pointing my smartphone camera at the laptop screen so that I could take a picture of the error code the…um…instant that it appeared.

I successfully took the picture, and there was no error code. Just a message saying that I couldn’t invite my wife because she already had an HP personal account. And to contact support.

The Instant Ink specialist instructed me to click on a link, then closed the support ticket.

I clicked on the link…and was asked to create a new support ticket.

The second support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

(Yes, there’s a lot of repetition in this post.)

By this time I tried to boil my request down to a simple question: how can my wife see Instant Ink shipment status and request support on her own?

The Instant Ink specialist went quiet for a while, and finally—over an hour after I started the initial support chat—provided the solution to my problem.

Give my wife my HP login and password. And sure, she’ll have no problem contacting support, even though I’m the named user.

Suffice it to say that I was not pleased.

A systemic problem

But to be fair, none of the 4 support people I talked to could have solved my problem.

Because HP has made the underlying assumption that its Instant Ink service can only be managed by one person, not two.

And HP is not alone in this. There are multiple services that assume single person management. This affects married couples often, where one spouse is the named user for a service but knows nothing about it because spouse 2 handles it.

This results in a number of conversations like this:

SERVICE: John?

WIFE: No, this is his wife.

SERVICE: I need John’s authorization to continue.

WIFE: (carries phone to me in the Bredemarket world headquarters) Amazing and wonderful husband, could you authorize me to discuss our account?

(Some portions of this conversation may have been fictionalized.)

ME: Hello, this is John.

SERVICE: John, what is your date of birth?

This is not a technology issue, but an organizational issue. Except where laws (such as HIPAA) regulate this, an organization should allow multiple people to be assigned to a service or other NPE.

It would make my—I mean our lives easier.

Identity-Bound Non-Person Entities

In my writings on non-person entities (NPEs), I have mentally assumed that NPEs go their own way and do their own thing, separate from people. So while I (John Bredehoft) have one set of permissions, the bot N. P. E. Bredemarket has “his” own set of permissions.

Not necessarily.

Anonybit and SmartUp have challenged my assumption, saying that AI agents could be bound to human identities.

“Anonybit…announced the first-ever live implementation of agentic commerce secured by decentralized biometrics, marking a significant milestone in the evolution of enterprise AI.

“Through a strategic partnership with SmartUp, a no-code platform for deploying enterprise AI agents, Anonybit is powering authenticated, identity-bound agents in real-world order, payment, and supply chain workflows….

“Anonybit’s identity token management system enables agents to operate on behalf of users with precise, auditable authorization across any workflow—online, in-person, or automated.”

So—if you want to—all your bot buddies can be linked to you, and you bear the responsibility for their actions. Are you ready?

(Imagen 4)

What is the Form I-9?

I am clearly not the Form I-9 expert—see Janice Kephart and her company ZipID for the full understanding. But this introduces why we have the U.S. Form I-9, how it keeps employers and employees within the law, and what it can do to stop North Koreans from robbing companies blind.

Why

Someone can’t just waltz into a U.S. employer and start working. Legally, anyway.

While there are numerous requirements that you have to meet before starting a job, the one that concerns us here is that only certain people are legally authorized to work.

To check this is a two part process:

  • To check the identity of the person.
  • To check the employment authorization of the person.

Both are necessary. It does no good to determine that Sam Smith is authorized if Sam Smith is really Kim Jong Spy.

Now you don’t have to be a U.S. citizen to work here. I’ve worked with a number of green card holders from France and other countries. I’ve worked with a number of temporary visa holders in which the visa permits the person to work for pay.

But student visa holders usually can’t work.

And people who are just visiting the country usually can’t work.

And finally, people who slip across the border can’t work.

How

So how do we make sure that people who work here are identified and authorized?

Via the completion of the U.S. Citizenship and Immigration Services Form I-9.

“Use Form I-9, Employment Eligibility Verification, to verify the identity and employment authorization of individuals hired for employment in the United States. All U.S. employers must properly complete Form I-9 for every individual they hire for employment in the United States. This includes citizens and aliens. Both employees and employers (or authorized representatives of the employer) must complete the form.”

The employee starts the ball rolling by proving that they are who they say they are, and that they are authorized to work here. To do this, they provide information and documents, including at least some of the following:

  • Full name
  • Address
  • Date of birth
  • Social Security Number (not a Taxpayer Identification Number)
  • U. S. citizenship or immigration status (there are multiple options here, ranging from U.S. citizen to “alien authorized to work”)
  • Other numbers as necessary, such as a USCIS number
  • One or more of “List A,” “List B,” and/or “List C” documents

The most powerful of the acceptable documents are List A documents, which prove both identity and employment authorization. A U.S. Passport or a Permanent Resident Card are the most common documents here, but if you have a passport from the Federated States of Micronesia you may still be good to go.

Passport, Federated States of Micronesia.
Blagomeni • CC BY-SA 3.0. Source.

If you don’t have a List A document, then you need one List B (identity) and one List C (authorization) document.

  • List B includes driver’s licenses (REAL ID or no, even Canadian), school ID cards, voter IDs, tribal documents, and others that establish identity in some way.
  • List C includes Social Security cards, birth certificates, and other authorization documents.

After the employee provides all this and completes Section 1 of Form I-9, the employer checks it and completes Section 2 of the form. The documentation must “reasonably” appear to be genuine. 

What

But…if this whole system relies on the employer saying “looks good to me,” how does this keep Kim Jong Spy from illegally working at Palantir and stealing state secrets and American technology?

One, the information and the document checks are worth something. While an employer is unable to truly verify that a driver’s license or a passport is not fraudulent—especially if the remote employee never visits the employer in person—you can bet that USCIS checks all those numbers, and if 10 people use the same Social Security Number they will be flagged.

Two, employers that repeatedly flaunt U.S. employment law can get in trouble. As I detailed in a LinkedIn post, this could include five years of prison time.

So that’s a powerful disincentive for unintentionally or intentionally hiring Kim Jong Spy.

And if the Form I-9 seems like a lot of work, and you wish you could automate it…see ZipID. In addition to everything else, it can compare a live face with the submitted photo ID…because.

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

Saving Money When Filling Prescriptions: Not You, The Companies

Healthcare is complicated. When most of us receive prescriptions from our doctor, either the doctor gives us a physical slip of paper with the prescription, or the doctor electronically sends the prescription to your pharmacy of choice. After that, you deal with the pharmacy yourself. Normally it goes smoothly. Sometimes it doesn’t.

  • Maybe the patient’s insurance company doesn’t cover the prescription, or charges an exorbitant price for it.
  • Maybe the patient never picks the prescription up. (The industry term is “adherence.”)
Ritalin. CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=2805908.

There are a lot of companies that want to help drug companies, physicians, and others make this process more seamless and less costly (for example, by maximizing gross-to-net, or GTN).

How many companies want to help? One afternoon I estimated that 30 companies are in this market. Based upon past experience in the identity verification industry (namely, all those battlecards my team created), this means that there are probably really more than 100 companies in the market.

While the companies obviously have to please the patients who need the prescriptions, they’re not critically important because the patients (usually) don’t pay the companies for the improved service.

So the companies have to sell others on their services.

Alto Technologies: “Alto Technologies’ configurable platform integrates hub and dispensing capabilities into an automated and seamless single service provider solution that improves patient experience and reduces administrative burden.”

Medisafe: “Patient support begins with onboarding and continues throughout treatment, with intuitive guidance throughout every encounter. From initial prescription to benefits investigation and authorization to shipment tracking, patients receive streamlined support with educational information and real-time updates.”

Phil: “Streamline medication access for your patients and providers. Our digital hub platform empowers retail and specialty-lite manufacturers with an alternative channel solution…”

Truepill: “Whether you’re an established brand looking to reach your patients directly, or an emerging company planning your go-to-market strategy, Virtual Pharmacy is the digital pharmacy solution built to scale.”

Of course, there are many more.

And they all need to tell their stories…

On Attribute-Based Access Control

In this post I’m going to delve more into attribute-based access control (ABAC), comparing it to role-based access control (RBAC, or what Printrak BIS used), and directing you to a separate source that examines ABAC’s implementation.

(Delve. Yes, I said it. I told you I was temperamental. I may say more about the “d” word in a subsequent post.)

But first I’m going to back up a bit.

Role-based access control

As I noted in a LinkedIn post yesterday:

Back when I managed the Omnitrak and Printrak BIS products (now part of IDEMIA‘s MBIS), the cool kids used role-based access control.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=6907222.

My product management responsibilities included the data and application tours, so user permissions fell upon me. Printrak BIS included hundreds of specific permissions that governed its use by latent, tenprint, IT, and other staff. But when a government law enforcement agency onboarded a new employee, it would take forever to assign the hundreds of necessary permissions to the new hire.

By Love Makes A Way – https://www.flickr.com/photos/lovemakesaway/15802177909/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=101171928.

Enter roles, as a part of role-based access control (RBAC).

If we know, for example, that the person is a latent trainee, we can assign the necessary permissions to a “latent trainee” role.

  • The latent trainee would have permission to view records and perform primary latent verification.
  • The latent trainee would NOT have permission to delete records or perform secondary latent verification.

As the trainee advanced, their role could change from “latent trainee” to “latent examiner” and perhaps to “latent supervisor” some day. One simple change, and all the proper permissions are assigned.

But what of the tenprint examiner who expresses a desire to do latent work? That person can have two roles: “tenprint examiner” and “latent trainee.”

Role-based access control certainly eased the management process for Printrak BIS’ government customers.

But something new was brewing…

Attribute-based access control

As I noted in my LinkedIn post, the National Institute of Standards and Technology released guidance in 2014 (since revised). The document is NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and is available at https://doi.org/10.6028/NIST.SP.800-162.

Figure 2 from https://doi.org/10.6028/NIST.SP.800-162.

Compared to role-based access control, attribute-based access control is a teeny bit more granular.

Attributes are characteristics of the subject, object, or environment conditions. Attributes contain information given by a name-value pair.

A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes. For the purpose of this document, assume that subject and user are synonymous.

An object is a system resource for which access is managed by the ABAC system, such as devices, files, records, tables, processes, programs, networks, or domains containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks.

An operation is the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, copy, execute, and modify.

Policy is the representation of rules or relationships that makes it possible to determine if a requested access should be allowed, given the values of the attributes of the subject, object, and possibly environment conditions.

So before you can even start to use ABAC, you need to define your subjects and objects and everything else.

Frontegg provides some excellent examples of how ABAC is used in practical terms. Here’s a government example:

For example, a military officer may access classified documents only if they possess the necessary clearance, are currently assigned to a relevant project, and are accessing the information from a secure location.

Madame Minna Craucher (right), a Finnish socialite and spy, with her chauffeur Boris Wolkowski (left) in 1930s. By Anonymous – Iso-Markku & Kähkönen: Valoa ja varjoa: 90 kuvaa Suomesta, s. 32. (Helsinki 2007.), Public Domain, https://commons.wikimedia.org/w/index.php?curid=47587700.

While (in my completely biased opinion) Printrak BIS was the greatest automated fingerprint identification system of its era, it couldn’t do anything like THAT. A Printrak BIS user could have a “clearance” role, but Printrak BIS had no way of knowing whether a person is assigned to an appropriate project or case, and Printrak BIS’ location capabilities were rudimentary at best. (If I recall correctly, we had some capability to restrict operations to particular computer terminals.)

As you can see, ABAC goes far beyond whether a PERSON is allowed to do things. It recognizes that people may be allowed to do things, but only under certain circumstances.

Implementing attribute-based access control

As I noted, it takes a lot of front-end work to define an ABAC implementation. I’m not going to delve into that complexity, but Gabriel L. Manor did, touching upon topics such as:

  • Policy as Code
  • Unstructured vs. Structured Rules
  • Policy configuration using the Open Policy Administration Layer (OPAL)

You can read Manor’s thoughts here (“How to Implement Attribute-Based Access Control (ABAC) Authorization?“).

And there are probably ways to simplify some of this.