Pakkit.net
← Back to blog

Security

Access Control Is a Pipeline, Not a Switch

Granting someone access feels like flipping a switch, but in most real environments it's a multi-stage pipeline — create, own, assign, link, sync — and the change usually isn't live until some later event actually re-reads it.

  • Security
  • Access Control
  • Operations
  • Identity

“Give them access” sounds like an instant, atomic thing — flip a bit, done. Then you actually do it in a real corporate environment and discover it’s nothing of the sort. Access is a pipeline: a group gets created in one system, ownership assigned in another, the user added in a third, that group linked to the resource in a fourth — and then, the part that gets everyone, none of it takes effect until some downstream event re-reads the membership. Treating access as a switch is how you confidently tell someone “you’re all set” and then watch them bounce off a permission denied.

The switch model is a lie we tell ourselves

The mental model most of us carry is binary: a user either has access or doesn’t, and granting it is one action. That’s almost never how it works once identity, directory groups, and a resource platform are involved. Each of those is its own system with its own state, and “access” is the emergent result of all of them agreeing. Any one stage lagging or misconfigured means the user is, functionally, still locked out — even though you did “the step.”

Access isn’t a bit you flip. It’s a chain of systems that all have to agree, and the user gets in only when the last one catches up.

Each stage is a place it silently stalls

Walk a typical enterprise grant and count the handoffs: create the access group → assign someone to own/approve it → add the user to the group → link the group to the actual project or resource → wait for that membership to propagate. Five stages, five different places the chain can quietly stop:

  • The group exists but has no owner, so no one can approve adds.
  • The user’s added to the group but the group isn’t linked to the resource.
  • Everything’s correct but directory replication hasn’t propagated yet.
  • The link’s in place but the platform hasn’t re-synced the membership.

Every one of those looks “done” from the stage before it. The pipeline framing matters because it tells you where to look when access doesn’t work: not “is the switch on?” but “which stage is the chain stuck at?”

The one that gets everyone: sync on login

The detail that burned me, and that I now check first: in a lot of single-sign-on setups, group membership syncs only when the user logs in. You can do every step perfectly — create, own, add, link — and the person still can’t get in, because their session predates the change and nothing re-read their groups. The fix is almost insultingly simple: log out and back in. But until you know the sync is login-triggered, you’ll burn an afternoon convinced something’s broken when the system is just waiting for the event that refreshes it.

This generalizes way past SSO. All over systems, a change isn’t live when you make it — it’s live when something re-reads it. A config file edited but not reloaded. A DNS record updated but cached. A permission granted but not re-synced. The write and the take-effect are two separate moments, and confusing them is a perennial source of “but I already did that.”

A change isn’t applied until something applies it

So the habit worth building is to always ask, for any change: what event makes this take effect, and has it happened? Saving isn’t applying. Granting isn’t syncing. Until you can name the trigger — a login, a reload, a cache expiry, a propagation interval — and confirm it fired, the change is staged, not done. It’s the access-control cousin of a permission you granted needing the user to re-authenticate, and it rhymes with when in doubt, suspecting the cache: the new value exists, something’s just still serving the old one.

Map the pipeline once, save yourself forever

The payoff for treating access as a pipeline is that you can write it down — the stages, who owns each, the propagation delays, the magic “log out and back in” step — and turn a recurring mystery into a checklist. Onboarding stops being folklore. When access doesn’t work, you walk the stages instead of guessing, and you verify the final trigger actually ran instead of assuming the grant was instant. Least-privilege and clean ownership are the security wins; the operational win is simply never again telling someone “you’re all set” when they’re one un-fired event short of it. This is the access-shaped version of treating security as architecture, not decoration and governing tool access deliberately. If you maintain an onboarding runbook that finally tamed this, I’d love to compare notes.