Attribute Based Access Control
Entitlement Server
The Entitlement Server is a decision engine that evaluates security policies to provide granular access control to an organization’s resources.
Fine-grained authorization has been a challenge for software architects. For many years, developers have embedded authorizations within applications. Sophisticated infrastructure services enabling fine-grained authorizations were not available and developers were forced to code authorization decisions in their applications. Modern architectures, which separate infrastructure and application functions, as well as new compliance mandates for more granular access control and policy transparency, demand entitlement management services.
The OpenIAM Access Manager uses an architectural model that externalizes policy and authorization decisions from within applications to a policy based, context aware authorization service that controls access to resources. Policy Enforcement Points are the locations where the policies are enforced and security decisions about access to a resource are implemented.
Polices are rules that define what action, if any, a user can take on a resource. These policies may be simple or complex. Simple policies may be expressed in terms of privileges such as Read, Write, Update, or Delete. More complex policies may be used to address scenarios such as access based on geographic location or time restrictions. For example, a user’s profile may indicate that he or she is based in North America while the request may be coming from Asia. A policy can be defined to control such behavior.
View our XACML video by clicking here.
In OpenIAM XACML, policies are centrally managed through an administration console and are based on the XACML standard. A request received at Policy Enforcement Point (PEP) to access a resource is evaluated at a Policy Decision Point (PDP) and a decision is conveyed back to the PEP. A PDP servicing PEP evaluates one or more PolicySets. If the target for the PolicySet matches the request target, then that PolicySet is deemed applicable to the request, else a “Not Applicable’ decision is returned to the PEP.
The PolicySet may have one or more Policies, and each of them is matched for applicability to the request by matching their targets to the request target. If more than one Policy is applicable, a Policy Combining Algorithm is applied to determine the applicable policy.
- Each policy results in deny, permit, indeterminate or not applicable.
- The Policy-Combining Algorithm determines how the results are combined
- Decision value placed in the response context by the PDP is the result of evaluating the policy set, as defined by the Policy-Combining Algorithm.
- Permit overrides algorithm in permit if one policy results in permit
- OpenIAM Entitlements Server has four default Policy-Combining algorithms out of the box to choose from
A Policy has several Rules:
- Each rule results in deny, permit, indeterminate or not applicable
- The Rule-Combining Algorithm specifies how the results are combined when evaluating the policy
- The Decision value placed in the response context by the PDP is the value of the policy, as defined by the Rule-Combining Algorithm
- Deny-Overrides Algorithm results in a deny if just one rule results in a deny
- OpenIAM Entitlement Server has four default Rule-Combining Algorithms out of the box to choose from
Obligations are actions to be taken by the PEP upon receiving a response, such as sending an email.