Content of Figures
1 Management Summary
Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and informati ...Login Get full Access
- Organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications often struggle with authorization
- Conventional group and role ...
3 Authorization Challenges
Many large, established organizations operate diverse portfolios of custom-developed, commercial off-the-shelf (COTS), and software-as-a-service (SaaS ...
- Billions of entitlements may be required for thousands of people (or subjects) times millions of data elements.
- Complexity grows when subjects mus ...
4 Authorization Requirements for the Future State
Amidst the fast-moving zeitgeist of the digital transformation, running a competitive company, effective government agency, or university requires con ...Login Get full Access
4.1 Types of Authorization
Different types of authorization are required:
Initial Authorization: There is a difference – and an overlap – between authentication and autho ...Login Get full Access
5 Authorization Frameworks
Many vendors will claim they have the solution to the authorization challenge. Directory vendors offer a consolidated directory to store groups; provi ...
- Governance: Admin time authorization management sets policy, handles access requests or access reviews, and provisions access.
- The policy models ...
5.1 Policy Models
Done properly, governance and runtime authorization come together in the policy models. Authorization policy models structure the actual criteria used ...Login Get full Access
Access control groups are data structures containing a list of named users. Typically, a group also has one or more users defined as its owner. The fo ...Login Get full Access
5.1.2 Role-Based Access Control (RBAC)
A role is a type of attribute describing what a user does in an organization or an application. RBAC is the name for various methodologies for using o ...Login Get full Access
5.1.3 Attribute-Based Access Control (ABAC)
The ABAC model proposes a “unified field” for authorization policy models. In ABAC, all the following types of data are modeled as attributes:
- Su ...
5.1.4 Entitlements and Entitlements Sets
Entitlements are data items tracked to record what a subject can do with, or to, a resource, such as an file or applicastion data object. The term “ ...Login Get full Access
5.1.5 Access Policy Expressions (Rules)
Access policy expressions are rules that are used to evaluate attributes (including roles, group memberships, resource attributes, etc.) in an authori ...Login Get full Access
5.2 Runtime Authorization
Runtime authorization is the real-time access policy enforcement at a gateway or resource level. Authorization decisions are made using policy model a ...Login Get full Access
Table 1 lists typical types of runtime authoriztion patterns. Many of these patterns can be composed or combined in real-world use cases. For example, ...
Figure 4 depicts a basic „enterprise (web) application using PIP“ authorization pattern. After a PEP authenticates the user (typically using a log ...
The other runtime authorization patterns in Table 1 come into play when multiple IAM domains interact, when applications interact via APIs, and betwee ...Login Get full Access
5.3 Admin Time Authorization
Access policy data must be created and managed for use in runtime authorization. Admin time authorization is the “access management” portion of IA ...Login Get full Access
6 Putting the Pieces Together
Optimal authorization solution can be developed to meet complex requirements using a hybrid of RBAC and ABAC supported by appropriate admin time and r ...Login Get full Access
KuppingerCole recommends organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications follow the guidance in this Note to deve ...Login Get full Access
A dynamic authorization architecture combines RBAC, ABAC, and multiple admin time and runtime authorization patterns to create a flexible platform for ...Login Get full Access