Authorization Overview
The Authorization tier adds Cedar-based policy enforcement to your AI infrastructure — answering the question: "Who can do what? And why?"
Services
Everything from Discovery & Registry, plus:
| Service | Purpose |
|---|---|
| wl-apdp | Cedar policy authorization engine |
| wl-apdp-frontend | Policy management dashboard |
What You Get
- Intent-based authorization — agents declare why they're taking each action, not just what
- Goal management — time-boxed, action-limited business objectives that scope all agent activity
- Delegation chains — cryptographically-verifiable trust paths from humans to agents
- Intelligent policy selection — 20-30x faster Cedar evaluation through automatic policy filtering
- Observation mode (default) — log all decisions without denying actions, then switch to enforcement when ready
- Shared database — agents discovered by wl-discover are immediately available for policy evaluation
Architecture
AI Agent (CrewAI, LangGraph, AutoGen)
│
▼ Authorization Request
┌──────────────────────────────────────────────────┐
│ WL-APDP │
│ │
│ 1. Intent validation → "Why am I doing this?" │
│ 2. Goal validation → "Active objective?" │
│ 3. Delegation check → "Who authorized me?" │
│ 4. Policy evaluation → "Do rules permit this?" │
│ 5. Decision → Allow/Deny + audit trail │
└──────────────────────────────────────────────────┘
Shared Database
wl-registry and wl-apdp share a single PostgreSQL database with a normalized agents table. When wl-discover registers an agent, wl-apdp sees it immediately — no sync needed.
wl-discover → detects agent → registers in wl-registry
wl-apdp → reads same agents table → agent available for policy evaluation
Next Steps
- Deployment — Deploy the Authorization tier
- Concepts — Intent-Goal authorization model
- Cedar Syntax — Write Cedar policies
- Policy Examples — Real-world patterns