Not a Gartner Client?
Want more research like this?
Learn the benefits of becoming a Gartner client.
Deciding who can do what with which data is not easy, but it is the ultimate charter of IAM professionals in the service of information security. Regardless of whether they are protecting cloud-based or legacy applications, IAM teams must understand how, where and when authorization works.
Table of Contents
When Can Decisions Be Made?
- Time of Administration — Admin-Time Authorization
- Time of Action — Runtime Authorization
- When to Use Admin-Time Versus Runtime Authorization
Where Can Decisions Be Made?
- Embedded Authorization
- Externalized Authorization
- When to Use Embedded Versus Externalized Authorization
How Can Decisions Be Modeled?
- Visualizing Complex Decisions
- Role-Based Access Control
- Attribute-Based Access Control
- Extensible Access Control Markup Language
- Selecting a Modeling Methodology
Other Authorization Considerations
Combining Authorization Techniques
- Strengths of Admin-Time Authorization
- Strengths of Runtime Authorization:
- Strengths of Embedded Authorization
- Strengths of Externalized Authorization
- When Can Decisions Be Made?
Leave Well Enough Alone
Deploy Proxies to Ease Into Runtime Externalization
Look for Widespread Pain If Retrofits Are Required
Progress Slowly Toward Finer-Grained Decisions
Enlist Enforcement Points as Force Multipliers
Let Go of Dogma
- Leave Well Enough Alone
Blueprint for an XACML-Based EAM Architecture
- 1. Build Policies via a Policy Administration Point (PAP)
- 2. Store the Policy
- 3. Request a Decision via a Policy Enforcement Point
- 4. Render a Decision at the PDP
- 5. Gather Extra Attributes as Needed
- 6. Evaluate Rule Conditions
- 7. Enforce the Decision
XACML in Detail
- XACML Policy in Action
Proper Placement of Policy Enforcement Points
- Application Code
- Application Container
- Web Services Tier
- Data Tier
- Federation IDP, STS and SP
- Policy "PEPs"
Alternatives to XACML-Based EAM
- Web Access Management as Proxies
- API Management Tools
- Business Rules Languages and Engines
- Blueprint for an XACML-Based EAM Architecture
Gartner Recommended Reading