Attribute-based access control (ABAC) lets us define fine-grained authorization policies that typically take into account user attributes and resource attributes. Sometimes we may need time to express authorization constraints. For example: Only a supervisor can view the medical record of a
To Axiomatics prospects and customers, standardization, or standards compliance, is of great importance and often one of the deciding factors in choosing Axiomatics over “homegrown” or vendor proprietary products. A standards-based product will, among other things, allow the customer to source
When it comes to securing access to services and data, we see many different use cases and, with that, the enforcement of authorization rules at different layers in the IT stack. This spans all the way from the Web/Presentation tier down to the data tier as illustrated in Figure 1. Enforcing
As a Sales Engineer, it’s not uncommon to meet with a customer - or a prospective customer - who, along with securing APIs, microservices and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves
The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier to work with than writing the raw XML. Depending on who you ask it is easier to understand and work with than UI tools. Currently there
The XACML standard provides a means of returning the reason for an access request denial through the use of the Obligations and Advice expressions, which were added in the 3.0 standard. A comprehensive explanation of Obligations and Advice can be found in our blog entry titledYou are not obliged to
This week's question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be a good place to raise awareness. You are probably already aware that one of the key features of an Attribute Based Access Control system (ABAC) is the ability
All (or most of) the logic in the policy In this case we’re obviously talking about the XACML policy. This is an Attribute Based Access Control (ABAC) approach that leverages attributes and policies to make runtime authorization decisions. Defining the authorization logic in the policy itself
There are different approaches to expressing authorization logic. What’s the best way? It’s not as simple as the right or wrong way in this case unfortunately. Let’s take a look at the pro’s and con’s of the more typical approaches we see here at Axiomatics when we work with our
We have written in the past about using time in XACML policies. This can be useful when wanting to control access outside office hours for instance. Sometimes, we also want to use dates to achieve similar and complementary use cases. Using the Date Datatype in XACML The Date Datatype XACML