Externalizing Fine-grained Authorization

With a rise in compliance consideration, organizations are forced to ensure authorized access to application functions as well as data. Having entitlement logic hard wired into the application leads to following issues

  • Applications bear almost one-fourth of code related to authorization
  • Applications requires re-deployment, if the authorization conditions change over the time
  • Authorization rules imposed by various applications in an organization are not coherent with respect to design and implementation which makes it hard to enforce corporate standards all along

Oracle Entitlement Server (OES) is one solution for externalizing authorization allowing applications to free from defining and implementing authorization policies.

A centralized authorization solution offers the reuse of authorization services to control multiple applications while making it easier for policy administrator to define policies in a single place while ensuring to abide by organizations’ compliance and regulatory requirements. It helps organization to review their entitlements and accuracy against a corporate standard. Applications no more need to be modified or redeployed to adhere to new policy standard.

Overview of Oracle Entitlement Server

OES supports authorization solution to various platforms including Java SE, Java EE, .Net, SOA, content management and databases.

A typical OES model includes Policy Administration Point (PAP) where the policies are created and managed. Administrative server and management API represent the PAP. Rules and policies defined in PAP get distributed to Policy Decision Point (PDP) where the decision is made whether to allow or deny the request to a protected resource. Policies can be distributed to PDP in the flowing ways


  • Push model – the distribution of polices is initiated by OES administrator and pushed to PDP. This model is the recommended model. In this model Policy Distribution component can communicate with many PDPs
  • Controlled pull model - PDP pulls data from the policy store directly. PDP maintains a local cache and use it when policy store is offline
  • Uncontrolled pull model - PDP pulls data from policy store directly. It does not maintain any local cache. Policy store must be online to service the authorization request


Policy Enforcement Point (PEP) intercepts any authorization request to a protected resource, passes to PDP and enforces decision received from PDP. PEP can be the application itself or a security module (combination of PEP and PDP).


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Exploring interest in building SaaS based platform including support for multi-tenancy, integration, security, usability, customization

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today