Sunday, October 24, 2010

Policy based access control-part 1

This is going to be my first post on this subject. I got interested in it after attending to an informative webinar on Policy based access control with XACML. I am also an amateur in this field and hope to post rich content in the future.

Identity management of organizations has been evolving over the past years. First the  authentication for different applications were managed separately. Then it became centralized identity management where many applications in the organization authenticated users from a central user store such as LDAP store. Requirement of allowing or restricting different users to access different resources based on organizational and business rules was also earlier achieved by project based solutions such as Role Based Access Control  .and Access Control Lists. Those mechanisms lack the interoperability and flexibility.

Policy based access control (PBAC) can be used instead which allows access rules to be defined as policies and easily updated as the rules change. When the organizations grow larger and when there are many large scale distributed applications accessing resources it is better to have these policies managed at a central location in order to preserve consistency and grant access to users from there. Policy based access control  with XACML is increasingly becoming popular as solution to address such requirements.

It is important to note that XACML is a flexible and powerful  authorization policy expression language, but not a policy model or concept of its own. PBAC solutions based on XACML has mainly three parts as follows:
  1. Reference Architecture
  2. Request/ Response protocol
  3. Policy Language.
I plan to discuss about each of the above in detail in my future posts on the subject.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.