Definition

Broken Function Level Authorization happens when an API does not properly restrict what actions (functions) a user is allowed to perform.

It focuses on:

• What users can DO (actions)

  not just

• What data users can SEE

Core idea

Even if a user is authenticated, they should only be allowed to execute functions that match their role and permissions.

If this fails, users can perform unauthorized actions such as:

• Changing account types
• Resetting other users’ passwords
• Deleting records
• Modifying system settings

Difference from BOLA

• BOLA: Accessing or modifying objects/data
• BFLA: Accessing or executing functions/actions

Common causes