XACML

The Entitlement Server is a decision engine that evaluates security policies to provide granular access control to an organization’s resources.

Fine-grained authorization has been a challenge for software architects. For many years, developers have embedded authorizations within applications. Sophisticated infrastructure services enabling fine-grained authorizations were not available and developers were forced to code authorization decisions in their applications. Modern architectures, which separate infrastructure and application functions, as well as new compliance mandates for more granular access control and policy transparency, demand entitlement management services.

Attribute Based Access Control

  • Fine-grained access control policies based on subject, resource, environment and action attributes
  • XACML 2 Implementation
  • Portable and reusable policies enforceable accross multiple platforms
  • As more attributes are involved, number of roles and permissions explode with RBAC - need ABAC even though more complex than RBAC
  • All aspects of access request are identified by attributes
  • Rules Engine Integration

The OpenIAM Access Manager uses an architectural model that externalizes policy and authorization decisions from within applications to a policy based, context aware authorization service that controls access to resources. Policy Enforcement Points are the locations where the policies are enforced and security decisions about access to a resource are implemented.

Polices are rules that define what action, if any, a user can take on a resource. These policies may be simple or complex.  Simple policies may be expressed in terms of privileges such as Read, Write, Update, or Delete.  More complex policies may be used to address scenarios such as access based on geographic location or time restrictions. For example, a user’s profile may indicate that he or she is based in North America while the request may be coming from Asia. A policy can be defined to control such behavior.