Your complete guide to Authorization starts here:
Identity and Access Management
(IAM) comprises four areas of
network technology:
Ensures that only valid
users enter a system
Ensures that authenticated
users access only what they
are supposed to
Provides provisioning and
related services
Maps access rights properly
to all applications
Authorization is an essential part of an enterprise’s IAM solution
As a company’s “gatekeeper” Authorization is the process that determines which employees can access which company data. Advanced, fine-grained authorization solutions can apply policies to further limit authorization by factors such as time of day or user location.
Authorization is often confused with authentication, but they play very different roles in corporate and organizational networks. Authentication is verifying that someone is whom they claim to be. This is usually done by supplying a username and password. Authorization is about determining what data or resources (software, files, etc.) an authenticated user can access.
Consider the case of a salesperson and a programmer. Authentication is used to confirm that each is a valid user and that each is whom they claim to be. Authorization is used to ensure that the programmer can see all of the company’s development files, while the salesperson can see only their business files, and that neither can see the other’s files.
Authorization solutions vary with company size and hierarchy, as well with other factors such as privacy or security issues. Today’s solutions for large companies base Authorization
on one of the following:
Users work
responsibilities (roles)
Conditions such as a users location
or the Owe of day when the request
is made (attributes)
Rules based on a
combination of the above
Authorization has become more complex in the past few years due to the advent of the cloud and mobility. Some of these complexities include:
Authorization is about determining which
users can access which data or
resources. To do that effectively, good solutions support the following:
Administration
Administration is about planning and controlling business decisions. “Administration” is usually associated with logistics and efficiency, but Authorization itself is a business decision since it determines who has access to a company’s data and other intellectual property.
To support effective administration, an Authorization platform must include:
Network visibility
Seeing an users and resources is the first step in setting access management policy
Analysis of the solution’s decisions
Understanding why the platform allows or denies access will help fine-tune it
A testing environment
Supports checking and refining the solution
Governance
Ensures that Authorization decisions are certified and recertified in accordance with general IAM principles and standards
Decision Making
Authorization software must support the policies a company has in mind. For example, a company wants to create a rule that marketing personnel can access certain files only during office hours. Therefore, the company needs a solution that supports using time of day as input for an Authorization decision.
To support effective decision making, an Authorization platform must include:
Flexible Data Module
Ability to support a variety of Authorization standards and languages with the desired granularity
Graph Database
An interface that enables a user to create and modify policies in real-time without writing any code
Enforcement
Enforcement in this context means the ability to implement Authorization policies across an entire enterprise. This means active access governance by management to coordinate the efforts of all units that are responsible for Authorization to “ensure compliance in a consistent, efficient and effective manner: in the words of the Identity Management Institute. Otherwise, access policies may inadvertently vary between units of the enterprise, which could weaken security or interfere with cooperation between members of different units.
Authorization rules or policies should be able to consumed in any of the standard languages, even those such as eXtensible Access Control Markup Language (XACML) and Open Authorization (OAuth).
Flexible Data Module
Ability to support a variety of Authorization standards and languages with the desired granularity
Smart Decisions
Dynamic, context-aware access decisions give more options than ones based on static roles or policies that cannot vary with circumstances
Graph Database
An interface that enables a user to create and modify policies in real-time without writing any code
Until recently, there were three main approaches to Authorization:
Access Control Lists (ACLs)
Access Control Lists (ACLs) are the oldest approach to Authorization. With ACLs, an administrator matches users to resources on a one-to-one basis.
Because only one characteristic, username, is used in Authorization decisions, ACLs provide coarse-grained Authorization.
Pros
Cons
Example of Limitations
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) involves creating roles, assigning them permission sets, and then assigning users to the roles. This approach is much more efficient than ACLs: assigning a user a role automatically gives them the correct access rights for all resources. Likewise, adding or removing a resource to a role ensures that the change is effective for all users with that role.
Because only one characteristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization. eristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization.
Pros
Cons
Example of Limitations
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) does not use roles. Instead, it uses multiple characteristics or attributes, such as a user’s location or the time of day to determine whether or not to allow access to a resource. For example, an ABAC solution might grant an employee access to a sensitive document during work hours, but not at 2 AM.
Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.
Pros
Cons
Example of Limitations
Beyond ACLs, RBAC, and ABAC
Despite the strengths of these Authorization methods, we can see that they have important limitations. Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.
All of these problems are solved by Policy-Based Access Control (PBAC) solutions, especially PlainID’s Policy Manager.
PlainiD offers a better solution to Authorization using Policy-Based Access Control (PBAC).
PBAC is the cutting-edge approach to access management, offering a hybrid of RBAC and ABAC’s strongest features. Or as KuppingerCole put it, °PBAC can be considered the harmonization and standardization of the ABAC and RBAC models at an enterprise level:
PBAC uses attributes to support fine-grained Authorization but also supports creating universal policies when needed. Such policies are often needed for compliance issues. At the same time, PBAC supports the convenience of roles but uses them as a single attribute in policy statements. This allows granting roles different access rights depending on circumstances.
PBAC solves two of the most pressing Authorization issues: the advent of the cloud and mobility.
PBAC solves these problems by enabling businesses to net dynamic access-time policies according to the physical or logical location of the user and other factors.
PBAC also makes compliance with regulations such as GRC and GDPR easier by segregating data access, controlling access creep, and even preventing authorized users from accessing data in a risky manner.
Because PBAC supports both roles and attributes, it is relatively easy to switch to it from either RBAC or ABAC. Here are a few tips that will make your transition easier:
1.Gather the “building blocks” for your policies:
The data and definitions you are currently using as input for Authorization decisions are the “building blocks° of policies. These typically include:
Note to RBAC users:
In both this step and the next, keep an eye out for roles you can consolidate by
using other attributes to distinguish between them instead of needing separate
2. Identify existing policies and create new ones:
PBAC supports XACML, 0Auth, and other protocols and languages.
Note to ABAC users:
It is often possible to consolidate existing ABAC rules into a smaller set of policies.
3.Test and verify your policies
IAM managers have been facing increasing problems in the past few years. Some of these problems are caused by changes in technology and their effects on Authorization. Others are related to the way Authorization has been implemented in the field.
PlainID’s PBAC platform solves both these of challenges. In the previous section, we discussed how PBAC solves problems related to the cloud and to mobility. Here we discuss how Smart Authorization solves the implementation issues.
One of the most common phenomena in RBAC systems is “role explosion”. Role explosion occurs when a company creates very specific roles to cover every possible net of permissions needed. As network resources grow, not only do existing roles get more complicated, but new ones get added.
PlainID recently solved this and other problems for a client we’ll call “Company A. Company A began with over 1,000 individual roles. The IT team managing them was overwhelmed to say the least.
As it does with all clients, PlainID used PBAC’s policy creating features and its use of attributes to reduce the number of roles significantly. By using attributes such as location and the time of access requests as input PlainiD was able to make each basic role more flexible. For example, for an American client, instead of having 50 roles for insurance salespeople to access the forms relevant to their state, PlainID could create one role called “salesperson° and use another attribute, “state” to link salespeople with their state.
PlainiD made the process simpler by first making the entire system visible. This made it much easier to best match users to data. By the time PlainID’s PBAC platform went live, Company A had approximately 50 roles instead of 1000!
The result was a net of flexible, dynamic, fine-grained Authorization policies that could be altered in run-time, if needed. By making access management simpler, PBAC saved the company thousands of dollars in IT costs, while freeing up days, if not months, of the team’s time. Moreover, using PBAC enabled management to take over access management decision-making.
In the past, this area was so complex that it was run by IT. But Authorization is really a business decision: determining who has access to which data is one of the most important decisions a company will make. PBAC enables you to set access management policies via an easy-to-use user interface without writing a single line of code.
The PBAC Platform’s support of management includes approval and audit functions. You can configure the software to require a manager’s approval before implementing any change of access management policy. The platform’s record-keeping abilities enable you to perform audits and generate reports of their findings.
PlainID’s PBAC platform is the ideal Authorization solution for enterprises and SaaS providers. Its PBAC-based solution offers fine-grained access management that is both extremely flexible and easy to use. It is designed to integrate with any environment, support all manner of access points, and safeguard your data in all scenarios, including B2B usage.
PlainID’s PBAC platform is ready for today’s challenges — and tomorrow’s.
Ready to find out more? Click the button below to
schedule a demo with a member of the
PlainID team, or Check out the PlainID Summary Brief.
