Gartner Research

RBAC? ABAC? XACML? EAM? Making Sense of Authorization

Published: 19 March 2014

ID: G00261980

Analyst(s): Nick Nikols


Deciding who can do what with which data is not easy, but it is the ultimate charter of IAM professionals in the service of information security. Regardless of whether they are protecting cloud-based or legacy applications, IAM teams must understand how, where and when authorization works.

Table Of Contents


  • When Can Decisions Be Made?
    • Time of Administration — Admin-Time Authorization
    • Time of Action — Runtime Authorization
    • When to Use Admin-Time Versus Runtime Authorization
  • Where Can Decisions Be Made?
    • Embedded Authorization
    • Externalized Authorization
    • When to Use Embedded Versus Externalized Authorization
  • How Can Decisions Be Modeled?
    • Visualizing Complex Decisions
    • Role-Based Access Control
    • Attribute-Based Access Control
    • Extensible Access Control Markup Language
    • Selecting a Modeling Methodology
  • Other Authorization Considerations
    • Granularity
    • Performance
  • Combining Authorization Techniques
  • Strengths
    • Strengths of Admin-Time Authorization
    • Strengths of Runtime Authorization:
    • Strengths of Embedded Authorization
    • Strengths of Externalized Authorization
  • Weaknesses


  • Leave Well Enough Alone
  • Deploy Proxies to Ease Into Runtime Externalization
  • Look for Widespread Pain If Retrofits Are Required
  • Progress Slowly Toward Finer-Grained Decisions
  • Enlist Enforcement Points as Force Multipliers
  • Let Go of Dogma

The Details

  • Blueprint for an XACML-Based EAM Architecture
    • 1. Build Policies via a Policy Administration Point (PAP)
    • 2. Store the Policy
    • 3. Request a Decision via a Policy Enforcement Point
    • 4. Render a Decision at the PDP
    • 5. Gather Extra Attributes as Needed
    • 6. Evaluate Rule Conditions
    • 7. Enforce the Decision
  • XACML in Detail
    • Policies
    • XACML Policy in Action
    • Requests
    • Responses
  • Proper Placement of Policy Enforcement Points
    • Application Code
    • Application Container
    • Web Services Tier
    • Data Tier
    • Federation IDP, STS and SP
    • Policy "PEPs"
  • Alternatives to XACML-Based EAM
    • Web Access Management as Proxies
    • API Management Tools
    • Business Rules Languages and Engines

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.