Developers - Axiomatics

Developers

Write Code Once, Use Many Times

Software requirements are often poorly aligned: Functional requirements define what the program should do. Non-functional requirements add expectations on various qualities the program must have. Security requirements are often the most difficult ones to achieve. Access control requirements represent 20%-40% of the effort in applications with non-trivial authorization needs. With Attribute Based Access Control (ABAC), developers can focus on functional aspects and leave authorization rules to the business analysts or business process owners.

To enable an application to use Attribute Based Access Control (ABAC) you implement policy enforcement blocks inside applications, gateways, application servers, ESBs or other suitable access points in the infrastructure. The task of the enforcement point is to:

  • Capture access requests – who the user is and what sensitive action the user wants to perform
  • Forward a corresponding XACML request to an authorization engine
  • Receive the XACML decision from the authorization engine and enforce it – PERMIT or DENY
Software Development Kits

For both of the above integration tasks, developers using Axiomatics products have easy-to-use SDKs for Java and .NET environments respectively. Depending on how advanced the integration is the implementation of enforcement or information points is a matter of hours or days.

Once the integration has been achieved, it is re-used over and over again. Rather than having to implement access control rules in the business logic of the application, a developer needs to:

  1. Connect to the authorization service.
  2. Create the XACML request (typically automated by the enforcement point module).
  3. Call the evaluate() method of the SDK which forwards the request to the server.
  4. React to the PERMIT or DENY response the server provides.
Comparison

Rather than embedding constant authorization checks in your code, you implement policy enforcement once and for all to be triggered when access requests are made. Axiomatics assists with best practices for different environments. You can for instance use Aspect Oriented Programming (AOP), re-used evaluate()-calls across MVC-frameworks to show/hide GUI elements by the same rules as those which control the business logic, etc.

Tedious and constantly repeated checks must be made. Every time an action impacting sensitive data or functions code like this must be written:

{code class="brush: java;"} 

if (req.isUserInRole("salesmanager") && !req.isUserInRole("guest")) { 
    //code to determine if user's sales region=region of accessed account... ; 
    //code to determine if time-of-day permits requested action ... ; 
    //code to check any number of further conditions ... ; 
} else  { 
    //code to determine determine what to do if role does not match ... ; 
    //code to check any number of further conditions ... ;  
}

{/code}

Once you start using SDKs from Axiomatics, you make a central implementation to establish a connection to the authorization engine (PDP), define the request, call the engine, and act on the result. You typically write this in a function that is called with the attributes of your current request context. You thereafter just have to act on the result, PERMIT or DENY. The logic of the rules that lead to the policy decision is no longer part of your application code:

{code class="brush: java;"} 
var result = PolicyDecisionPoint.Evaluate(new XacmlDecisionRequestContext());
{/code}

 

Simplify Data Access Aligned with Corporate Policies

Axiomatics Policy Server comes with three different types of authorization services combined. In addition to the XACML request illustrated above, you can use the Axiomatics PEP SDK to automate generation of SQL queries aligned with corporate access control rules.

Once Axiomatics Policy Server removes the more tedious aspects of your programming, you as a developer focus on what matters: implementation of functional requirements which bring appreciated value to users. Rather than having to bother about how to restrict access to all the cool features you implement, you focus on the features themselves.

Still have questions?

Send us an email at webinfo@axiomatics.com