RBAC? ABAC? XACML? EAM? Making Sense of Authorization

Archived Published: 19 March 2014 ID: G00261980


Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

contact us online


Deciding who can do what with which data is not easy, but it is the ultimate charter of IAM professionals in the service of information security. Regardless of whether they are protecting cloud-based or legacy applications, IAM teams must understand how, where and when authorization works.

Table of Contents

  • Analysis
    • When Can Decisions Be Made?
      • Time of Administration — Admin-Time Authorization
      • Time of Action — Runtime Authorization
      • When to Use Admin-Time Versus Runtime Authorization
    • Where Can Decisions Be Made?
      • Embedded Authorization
      • Externalized Authorization
      • When to Use Embedded Versus Externalized Authorization
    • How Can Decisions Be Modeled?
      • Visualizing Complex Decisions
      • Role-Based Access Control
      • Attribute-Based Access Control
      • Extensible Access Control Markup Language
      • Selecting a Modeling Methodology
    • Other Authorization Considerations
      • Granularity
      • Performance
    • Combining Authorization Techniques
    • Strengths
      • Strengths of Admin-Time Authorization
      • Strengths of Runtime Authorization:
      • Strengths of Embedded Authorization
      • Strengths of Externalized Authorization
    • Weaknesses
  • Guidance
    • Leave Well Enough Alone
    • Deploy Proxies to Ease Into Runtime Externalization
    • Look for Widespread Pain If Retrofits Are Required
    • Progress Slowly Toward Finer-Grained Decisions
    • Enlist Enforcement Points as Force Multipliers
    • Let Go of Dogma
  • The Details
    • Blueprint for an XACML-Based EAM Architecture
      • 1. Build Policies via a Policy Administration Point (PAP)
      • 2. Store the Policy
      • 3. Request a Decision via a Policy Enforcement Point
      • 4. Render a Decision at the PDP
      • 5. Gather Extra Attributes as Needed
      • 6. Evaluate Rule Conditions
      • 7. Enforce the Decision
    • XACML in Detail
      • Policies
      • XACML Policy in Action
      • Requests
      • Responses
    • Proper Placement of Policy Enforcement Points
      • Application Code
      • Application Container
      • Web Services Tier
      • Data Tier
      • Federation IDP, STS and SP
      • Policy "PEPs"
    • Alternatives to XACML-Based EAM
      • Web Access Management as Proxies
      • API Management Tools
      • Business Rules Languages and Engines
  • Gartner Recommended Reading
© 2014 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Free Research

Discover what 12,000 CIOs and Senior IT leaders already know.

Free Access

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more

Call +1 855-515-4486 or contact us

to become a Gartner client.