Enterprise Authorization Framework

Authorization frameworks comprise run-time policy enforcement, administration-time policy models, and IAM governance. Groups are the dominant policy model in the enterprise today. Easy to manage from the bottom up, the problem is that groups tend to sprawl. Turning to RBAC, some organizations have a good set of positional roles, but others don't. Either way, RBAC easily succumbs to role proliferation if practicioners layer too many special cases and exceptions onto the model. Fortunately, dynamic authorization - also known as attribute-based access control (ABAC) - has the potential to blend roles, groups, and attributes from subjects, resources, and context into a unified model.

Key Takeaways:

• Good practices for RBAC
• The RBAC/ABAC continuum – it’s not either or, it’s about both approaches
• Don't hype the "ABAC" - success stories, pitfalls, and lessons learned
• Where Dynamic Authorization Management fits in: Not only Policy Servers, but Adaptive Authentication, API & XML Gateways, Web Access Management, and more
• Create "economies of context" through well-designed identity object models and application taxonomies
• Cloud-friendly patterns, tokens, and security considerations
• “Dynamic Provisioning” of static (RBAC-based) ACLs: A real alternative?
• Sample decision trees for a unified authorization framework