Externalizing Fine-grained Authorization
By gsahoo-Oracle on Jun 30, 2014
With a rise in compliance consideration, organizations are forced to ensure authorized access to application functions as well as data. Having entitlement logic hard wired into the application leads to following issues
- Applications bear almost one-fourth of code related to authorization
- Applications requires re-deployment, if the authorization conditions change over the time
- Authorization rules imposed by various applications in an organization are not coherent with respect to design and implementation which makes it hard to enforce corporate standards all along
Oracle Entitlement Server (OES) is one solution for externalizing authorization allowing applications to free from defining and implementing authorization policies.
A centralized authorization solution offers the reuse of authorization services to control multiple applications while making it easier for policy administrator to define policies in a single place while ensuring to abide by organizations’ compliance and regulatory requirements. It helps organization to review their entitlements and accuracy against a corporate standard. Applications no more need to be modified or redeployed to adhere to new policy standard.
Overview of Oracle Entitlement Server
OES supports authorization solution to various platforms including Java SE, Java EE, .Net, SOA, content management and databases.
A typical OES model includes Policy Administration Point (PAP) where the policies are created and managed. Administrative server and management API represent the PAP. Rules and policies defined in PAP get distributed to Policy Decision Point (PDP) where the decision is made whether to allow or deny the request to a protected resource. Policies can be distributed to PDP in the flowing ways
- Push model – the distribution of polices is initiated by OES administrator and pushed to PDP. This model is the recommended model. In this model Policy Distribution component can communicate with many PDPs
- Controlled pull model - PDP pulls data from the policy store directly. PDP maintains a local cache and use it when policy store is offline
- Uncontrolled pull model - PDP pulls data from policy store directly. It does not maintain any local cache. Policy store must be online to service the authorization request
Policy Enforcement Point (PEP) intercepts any authorization request to a protected resource, passes to PDP and enforces decision received from PDP. PEP can be the application itself or a security module (combination of PEP and PDP).