All Research
Advisory Note
Mastering authorization is critical for modern organizations with multiple user constituencies, applications, and data types. Groups are necessary but not sufficient in complex environments. Roles are handy for adding manageability and assurance to coarse- or medium-grained authorization but break down in the face of dynamic environments or complex access policies. Attribute-based access control (ABAC) has gained adherents, but is in fact just another piece of the puzzle. In this note, KuppingerCole will unfold the dimensions of a unified authorization framework incorporating all of the above and more.

1 Management Summary

Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and information security alike. To be successful, organizations must address authorization through a holistic architecture. In this note, KuppingerCole breaks the problem down into three dimensions: Governance and admin time authorization, access policy models, and runtime authorization.

Admin time policy management and runtime policy enforcement must meet in the middle with policy model for groups, RBAC, ABAC, entitlements, and policy expressions (or rules). Organizations must create as their architecture a unified authorization framework spanning the three dimensions and often requiring hybrids of all the policy models. Herein, KuppingerCole provides frameworks, models, decision trees, and recommendations to get started.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use