The XACML reference architecture suggests externalizing authorization from individual information systems. This is well aligned with a general shift in IT architectures. Not too long ago, business applications came with their own login mechanisms and user management schemes. Users had to log in to each application separately. Today, we expect information systems to be capable of handling authentication against a central LDAP or Identity Management service and to support common Single Sign-on techniques. User administration has been centralized to an identity management service and externalized from the individual applications.

Authorization follows immediately after authentication. Once the identity of the user has been established though authentication, authorization decisions determine what the user can do within the information system.

Whereas user administration and authentication already wiedely have been centralized, authorization still mostly remains embedded within the application logic of individual applications. However, with XACML and attribute based access control (ABAC) we finally have a standard which enables streamlining and externalization of authorization.

Externalizing authorization brings many advantages, such as:

• Policies can be consistently enforced in many applications / information systems sinc all use the same, standards-based authorization scheme
• When corporate policies change, you don't have to change configurations in individula applications but can do it from one central point
• Application development speed can be increased and the time-to-market for new services reduced

However, externalizing in the sense that authorization requests are forwarded to an external service may not always be ideal. In some instances, you may want to keep authorization embedded within the application itself. Still, XACML and ABAC-based technology advantages remain relevant. Axiomatics delivers Policy Decision Point (PDP) components that can run in-process with a Policy Enforcement Point (PEP) which in turn is an integrated part of the application itself. Furthermore, Axiomatics PDP is available both for Java and .NET environments, and thus for embedding in almost any type of application.

Even in deployment scenarios where you are running an embedded PDP, the authorization process is externalized from the client application and you can update use various procedures to update your deployed policies from a central point at regular intervals.