Guests do not get keys to all the rooms in the hotel and if so would hardly stay the night. The software industry struggles to achieve the same level of fine-grained authorization. "Guests" are granted broad permissions and off they go, with the same basic access rights. At the same time bank clerks are able to view accounts of customers to whom they have no relation, medical staff members able to view records of patients they do not know, and so on. Fine-grained authorization however, provides previously unattainable levels of access control.

Access based on authorization, not technology

Today, access permissions for business critical data are often based on what is technically feasible and manageable rather than on what authorization each single user actually should have. The result: either too permissive or too restrictive permissions. With traditional techniques it is practically impossible to achieve authorizations due to either technical limitations or the administrative burden it would imply.

The new generation access control offered by Axiomatics changes this overnight. Rather than depending on technicalities of individual applications, access controls are implemented based on policies maintained at a central point. These policies express the exact authorization of users and under what conditions they remain valid. They are then enforced consistently across all applications.

Fine-granular authorization can mean different things in different scenarios – for instance:

• You gain access to ALL of the data provided multiple conditions are met – complex business rules reflected in fine-granular policy conditions. An example would for instance be a risk mitigating policy addressing Segregation of Duties (SoD) requirements: You can run transaction A provided you did not previously run transaction B.
• You gain access to SOME of the data based on requirements for multi-dimensional filtering of sensitive information. An example would for instance be a record set retrieved from a database in which sensitive information such as social security numbers or financial data is filtered out for clients to which the current user does not have a relation that motivates disclosure.

Fine-granular authorization enables information sharing

Without the ability to restrict availability based on complex business rules or multi-dimensional filtering requirements, options and opportunities become limited. Information will be safely archived but of little use. Users who would benefit and contribute to overall business objectives if they could be granted access under given circumstances, are naturally not as effective as they could be. The long and short of it being that resources are not fully utilized, which can have a detrimental effect on your organization over time.

Contrarily, acquiring the ability to present information with multi-dimensional and fine-granular filtering based on authorization requirements, enables new opportunities for information sharing.