By identity on Oct 05, 2009
This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.
One might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy. Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park. Similarly, simple Identity Management authorization allows access to all functions within an application.
However, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities. For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format. The definition and enforcement of this fine-grained authorization would be externalized from the application itself.
At the present time, fine grained authorization is desirable but difficult to implement. It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy.
Much is being discussed about policy management standards (e.g. XACML). Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.
As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:
- Which of your applications could benefit most from fine-grained authorization?
- How would externalizing policy management and enforcement streamline your applications?
- How could standards such as XACML improve the management of security and access control policies in you organization?