Uber's engineering team built Charter, a centralized authorization system that evaluates complex access control policies for thousands of microservices making millions of decisions daily. Traditional role-based access control proved inadequate for Uber's scale, where decisions must happen in microseconds across API calls, database queries, and Kafka messages.

Charter uses attribute-based access control (ABAC) to evaluate conditions against runtime attributes from various sources. The system breaks down authorization into four components: Actor, Action, Resource, and Context. Actors are identified using SPIFFE format, resources use Uber Object Name (UON) URIs, and policies are distributed to services via a unified configuration system. Each service runs a local authfx library to make authorization decisions.

The ABAC approach allows Uber to express complex business rules that traditional policies cannot handle. For example, support representatives can access payment data only for customers in their assigned region, or employees can view profiles matching either their own ID or their manager's ID. Charter stores policies in a database and pushes updates to all relevant services, providing a centralized repository for administrators to define who can access what across the entire infrastructure.