Most of the organizations are still using legacy system with in build authorization logics. Some times, one organization contains large number of information systems and applications that each system or application uses their own way of authorizing. When it comes to today, authorization has become more complex. Because users within organization as well as outside the organization need access to shared data and collaborate efficiently. Therefore It has been very hard to manage those legacy, custom authorization systems. Then how we could find a solution to address this?
when we think about a traditional authorization system, it would mostly look like as follows
- authorization logics are hard coded in to the programing source code
- authorization logics are stored in a databases that could be only readable and understandable by the underline application
Following are the some goals that current organizations are looking from an authorization system. Let see whether we can achieve then through a traditional authorization system?
1. Can business managers (who should determine how access controls would be implemented) define and modify authorization logics ?
2. Can we find new IT technicians to manage these legacy systems ? specially when people who developed the system, left the organization
-> Therefore we need a standardized approach for authorization.
3. Can authorization logics be modified with out any source code changes in an dynamic way?
-> Therefore we need a policy based approach for authorization
4. Is authorization system capable for evaluating following rule ? “X resource can be accessed by the Users who are from example.com domain and whose age is greater than 21 years old”
-> Therefore we need an attribute based approach for authorization rather than traditional user based or role based
5. If we are going to implement a new information system with the organization, Can we re-use the authorization logics of a legacy system.
-> Therefore we need an externalized approach for authorization
6. Can achieve find-grant authorization without defining large number of static combinations ?
-> Therefore we need a fine-grained authorization with higher level of abstraction
7. Is authorization systems capable of answering following questions ? “Can user, Bob transfer X amount from Y current account at 1.00pm? ”
-> Therefore we need a dynamic authorization, the real time of evaluation
As we can understand, above goals can not be achieved from a traditional authorization system. But XACML (eXtensible Access Control Markup Language) based authorization solution would probably provide all of these goals. Because XACML :
- is a standard which is ratified by OASIS standards organization
- is a policy language implemented using XML
- supports Attribute Based Access Control (ABAC) and evaluation can be done with the additional data retrieved from Policy Information Point (PIP) which is defined by the XACML reference architecture
- reference architecture provides to externalize the authorization system. The Policy Decision Point (PDP) offers authorization as a service in your infrastructure. Authorization algorithms can be removed from the application logic. And applications will query the PDP via their own Policy Enforcement Points (PEP).
- provides fine-grained authorization with higher level of abstraction by means of policies and rules.
- supports dynamic evaluation of policies by using the Policy Information Point (PIP)