Gartner Research

A Systematic and Practical Approach to Optimizing Authorization Architecture

Published: 17 December 2015

ID: G00291477

Analyst(s): Homan Farahmand


Authorization is a key IAM control for managing operational risk that requires analytic and algorithmic capabilities. Many options, such as RBAC, ABAC, XACML, JSON, EAM and WAM, cause confusion. This report establishes the bigger picture of authorization with insight into related capability options.

Table Of Contents

Problem Statement

The Gartner Approach

The Guidance Framework

  • Authorization Use-Case Evaluation
    • What Granularity Is Appropriate for Risk Treatment?
    • When Can Authorization Decisions Be Made?
    • Where Can Decisions Be Made?
    • Combining Authorization Techniques
    • Performance Concerns
  • Authorization Decision Modeling
    • Visualizing Complex Decisions
    • The Art of Combining RBAC and ABAC Models
    • Selecting a Modeling Methodology
  • Authorization Policy Management and Distribution
    • Policy Authoring
    • Policy Expression
    • Policy Storage, Maintenance and Distribution
    • Policy Provisioning
  • Authorization Policy Enforcement
    • Key Standards and Tools
    • Proper Placement of Policy Enforcement Points

Risks and Pitfalls

  • Recommendations
    • Embrace Combined RBAC and ABAC Models
    • Sustain Adequate Governance and Executive Support for ABAC Initiatives
    • Formalize Runtime Authorization Policy Management Practices
    • Promote Adoption of Standard Authorization Architecture Patterns
    • Evaluate Authorization Standards While Considering Their Intended Purpose
    • Optimize Policy Management Authorities and Decision Points
    • Place Enforcement Points Across the Stack for Optimizing Performance

The Details

  • Granularity
  • Admin-Time and Runtime Authorization Use Cases
    • When Is Admin-Time Authorization Appropriate?
    • When Is Runtime Authorization Appropriate?
  • Embedded and Externalized Authorization Use Cases
    • When Is Embedded Authorization Appropriate?
    • When Is Externalized Authorization Appropriate?
  • RBAC and ABAC Models
    • Role-Based Access Control
    • Attribute-Based Access Control
  • Combined RBAC and ABAC Models
    • Dynamic Roles
    • Attribute-Centric
    • Role-Centric ABAC
  • Common Authorization Flow and Architectural Components
  • Authorization Technical Standards
    • XACML as a Foundational Model
    • JSON/REST for Authorization
    • XACML JSON/REST Profile
    • OAuth 2.0
    • Proposed Abbreviated Language for Authorization
  • Key Authorization Tools
    • Web Access Management
    • Externalized Authorization Management
    • API Gateway Tools
    • Business Rules Languages and Engines

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.