We have a Go sample - customization-samples/extensibility/authorizer at master · temporalio/customization-samples · GitHub of how one can implement authorization logic. Temporal server by itself does not impose any authorization. It is the job of the pluggable Authorizer and ClaimMapper components. ClaimMapper is responsible for translating identity information of the caller, from the TLS cert and/or JWT token, into a set of role claims that Authorizer uses as input for authorization decisions.