Fine-grained authorization enables object level security. For data stored in tables, it means row-level or cell-level security, for data or meta data entered in forms, it means field-level security, and so on. But fine-grained can also refer to elaborate context-related conditions and constraints, such as time or geographical limits for permitted access.
When access controls are based on the precise and expressive XACML policy language, you can define authorization conditions for individual items in larger data sets.
Fine-grained authorization enables information sharing
Imagine an archive where entries about clients are maintained. Most of the actual body text can and should be shared with staff members of different job functions. However, sensitive meta data about individual clients must only be viewed by users who have authorization and a professional need to do so.
Unless the authorization system is fine-grained enough to filter out these details, all of the entries must remain undisclosed.
For this reason, there is a strong relation between capabilities that enable fine-grained authorization and capabilities that enable information sharing. Without the ability to filter out sensitive details or entire entries based on fine-grained conditions, information cannot be made available for sharing. If permissions can be set on the directory level only, the entire directory must remain off-limits for you even if it only contains one of several hundred documents for which you lack authorization. Sensitive items, which cannot be filtered out, “contaminate” the entire folder for you.
Rich policies can express multiple and complex conditions
Imagine insurance company business rules such as these:
- Claims adjusters may view the name, social security number and Salary of contract holders when reviewing loss of salary compensation claims. However, for financial privacy reasons, invoiced fees must not be disclosed.
- Claims adjusters reviewing invoiced fees should not see salary information or Social security numbers of contract holders.
- Adjusters should only see general information about contract holders assigned to their department, an agent or contractors of the department unless an explicit case assignment has been made.
These use cases are principally well-aligned with the capabilities of XACML. The complexity of the business rules can easily be expressed in XACML policies. However, with large tables and large amounts of columns that may be sensitive for various reasons, row-level or cell-level security could require large numbers of XACML policy decisions.
Axiomatics Reverse Query (ARQ) technology
Capabilities of the XACML standard such as the XACML v3.0 Multiple Decision Profile or processing based on information passed as XACML Obligations can help handle such use cases. Axiomatics offers a technology platform which is even better suited for multi-dimensional filtering of large data sets to achieve fine-grained authorization: the Axiomatics Reveres Query (ARQ) technology solutions. With this technology added on top of an XACML Policy Decision Point, many different types of special-purpose filters can be offered with no or minimal authorization overhead.
In some instances fine-grained does not refer to characteristics of the data object or resource but rather to the many conditions that apply. Time of day, location, citizenship of the user, black-listing and/or white-listing, verified certifications or competencies of the user, clearance levels, organizational assignments, and other attributes that refer to the subject alone may be of interest in different combinations and in varying contexts. These are aspects that hardly can be captured through role assignments or other user-centric authorization models.
Thus, even if the resource itself is “coarse-grained” by nature, the rules that must be applied can be “fine-grained”. These are use cases which are easily captured with eXtensible authorization based on the XACML standard.