Many insurance companies use Attribute Based Access Control (ABAC) solutions to enable partners or clients to directly manage their own information within the insurance company’s infrastructure. In this blog we’ll have a closer look at a typical deployment scenario.
The problem that needs to be solved: Insurance companies often operate via agents or partners to whom client management tasks may be delegated. Granting permissions to end-users to file claims, change insurance plans or to edit personal data online gives the insurance company a competitive edge due to improved service levels. It also speeds up internal business processes and improves cost efficiency. Additionally, corporate clients may also be contractually granted administrative permissions to handle insurance plans and claims on behalf of their insured employees.
In all of these scenarios, access control requirements become complex. Are parents allowed to view or edit data about their insured children? Regardless of the age of the child? Is the corporate HR user allowed to manage claims on behalf of employees if the corporate entity is paying for the insurance? What happens with the employee´s life insurance if the employee leaves the company? Who can then see what? What administrative permissions should be granted to agents with regard to clients managed by the agent? What contractual limitations exist?
Conventional Role Based Access Control (RBAC) schemes are not flexible enough to handle such dynamically changing conditions. In these complex scenarios, Attribute Based Access Control (ABAC) – based on policies – become an ideal fit.
The illustrations provide a high-level view of the implementation at one Axiomatics customer site. Agents access back-end services directly via clients that have VPN access to core services. Customers and partners access the same services via browser interfaces powered by a web portal and a mobile portal respectively. The portals in turn consume the APIs of the underlying services.
For all entry points, the user logon is managed via identity federation services which also provide single sign-on capabilities for the various applications that users access. Once the identity of the user is known, however, the authorization question remains: what is a user, coming via this specific channel at this time of day allowed to do? An API Gateway intercepts all incoming requests and before routing them any further, interacts with an Axiomatics Policy Server (APS) to establish what actions the user is allowed to perform. Based on the PERMIT/DENY response from APS the API Gateway will enforce further interactions, either by allowing the client to consume the underlying API functions as requested or by re-routing the user to exception handling pages if the request is denied.
Thus, the central piece in the access control solution consists of the integration between APS and the API Gateway. However, APS serves further layers in the infrastructure as well. For instance, if the end-user was a parent requesting access to user records relating to a child, the API Gateway may allow the forwarding of the call to the underlying service which shows user records after APS has ruled that the call is permitted because the user is verified to be the parent of the child whose records are requested. However, once the screen is displayed, and the end-user interacts directly with the API of that underlying application, the next request may be about changing details in a registered claim, an action that the policy does not permit. This time, the underlying application queries APS directly. This means one and the same set of centrally maintained policies control access not only on the API Gateway layer but then also in subsequent layers, with in a message queue, and on core back-end systems. At Axiomatics, we often refer to this as “any-depth” access control since it may apply on many layers, all the way to the database.
By externalizing authorization to Axiomatics Policy Server (APS) across multiple layers, from the API Gateway and all the way down to the backends, the insurance company is now capable of exactly controlling who is allowed to perform which action on which record via which channel.