Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems.

Over the years I have seen several adjectives being used to describe an advanced authorization management system. These capture various complementary aspects of the system and I believe an enterprise-grade authorization management system should be able to provide all of these features:

  • Fine-grained: the system should be able to capture and express the conditional logic for authorization at a very fine-grained level. Want to write a rule that checks for a higher level of user authentication via step-up authentication? Want to write a rule that checks the relationship between the user and the object being accessed? Want to express complex rule hierarchies? It should be at the core of the system’s capability list.
  • Externalized: the authorization decision engine should be decoupled from the business logic of the application. Do you see a piece of application code that checks for a user’s role before allowing access? If so, the authorization system is not externalized. Do you instead see a call to an external service or an API or even an external library asking for a decision on an access request? That is what you want!
  • Runtime based: the decision on whether to authorize access should be evaluated and enforced in line with the workflow of a running application in order to capture the most up-to-date state of the required logic. This is as opposed to evaluating an entitlement that was provided when you logged in to the system in the morning or something that was provisioned when you joined the department.
  • Dynamic: very related to runtime evaluation is the ability to use attributes that are as up-to-date as possible in the authorization decision process. Did the status of that purchase order change a minute before the access request? Did the break-the-glass flag gets turned on a minute before the request for DB access? Did the patient-doctor relationship get updated this morning due to a patient request? There are cases where such dynamic values need to be used. Of course, without saying, optimizations around caching, pre-fetching, etc. should also be supported by the system.
  • Policy, attribute based: this is more a means to an end capability that enables the system to be fine-grained and dynamic in its design. The ability to write the authorization condition logic using attributes enables you to enforce rules that depend on very specific properties of entities (subject, object, actions, environment, etc.). Providing easy to order and to understand hierarchy and condition, rules and policies allow customers to manage enterprise-scale complex policies without breaking a sweat.

Of course, the list above is not a comprehensive set of product features you need to be looking out for in an authorization system but rather the high-level capabilities that should be present.