Information security strategies have in the past often been based on a "need-to-know" paradigm. In reality, this means reducing availability of sensitive information to those authorized users within the enterprise who would be unable to do their jobs unless granted access. Today, many organizations find the "need-to-share" to be more urgent - users within as well as outside the organization need access to shared data to collaborate efficiently. With the Internet, potential new user populations also grow immensely. Managing access for users becomes an overwhelming task. The corresponding shift in requirements makes authorization even more complex than it used to be. A new generation of technologies capable of handling the elaborate requirements of these new real-world scenarios is required.

Authorization techniques are used to control user permissions. Authorization processes return a short and simple decision: PERMIT or DENY. The decision itself, however, may require intricate reasoning to determine who, why, when and how should be granted access to what in a way that is compliant with corporate policies.

Logic and language are the primary tools for human reasoning. Authorization technology should ideally be as versatile and flexible as the language of an intelligent and logically reasoning individual. "Now, Bob wants to approve payment of invoice 02350. Should he be allowed to do so considering our corporate attestation rules mandating...?"

This is what Extensible Authorization solutions from Axiomatics are all about. At the core the eXtensible Access Control Markup Language (XACML) is used, which allows us to mimic the expressiveness of human language and reasoning for two essential purposes, namely to express:

1. Policies and rules which constitute the principles for the reasoning behind authorization decisions
2. Access requests capturing the richness of all possible real-world scenarios where users demand access.
   
   

Extensible reflects the XML inheritance of the core language used. Furthermore, it refers to the integration capabilities of Axiomatics Policy Server.

In addition to logic and reasoning you also need knowledge: What is known about the user asking to be granted access? About the resource to which access is requested? About the impact of the action intended? About the current context in which access is requested? Once we have this information we can evaluate the access request against policies and rules defined - thus policy-based access control.

To gather necessary knowledge, you need to integrate with existing information systems where the answers to all these questions reside. Authorization solutions from Axiomatics come with extensible connectivity via efficient Policy Information Points (PIP). Attributes describing the user, the resource, the action and the context, provide the decisioning engine with the knowledge needed for informed decision making - thus attribute-based access control.

Finally, decisions need to be enforced on many different levels and in a broad variety of information systems. Authorization solutions from Axiomatics are extensible also in the sense that they support deployment scenarios via efficient Policy Enforcement Points (PEP) integrating information systems with a centrally maintained Policy Decision Point (PDP).