By externalizing authorization, it extends the advantages of runtime authorization, and enables zero trust access. It offers increased flexibility, centralized control, and advanced security for access control decisions. In externalizing authorization, it provides administrators the ability to enforce consistent controls in real-time across applications and data.
The process flow of externalized runtime authorization is demonstrated below in a common enterprise security architecture based on standard components:
The components named in the model are:
- Policy Administration Point (PAP):Â This is the point at which access authorization policies are managed.
- Policy Enforcement Point (PEP): PEP intercepts user’s access request to a resource, then makes a decision request to the PDP to obtain the access decision (i.e., access to the resource is approved or rejected), and acts on the received decision.
- Policy Decision Point (PDP):Â The PDP will compare the permissions requested in the XACML request against the mapping of the corresponding role as found in the request to the allowed permissions that can be fetched from PIP & PRP. Based on the findings, the PDP will either allow or deny the request.
- Policy Information Point (PIP):Â A centralized attribute store that contains the information of the attribute values (i.e.: Subject, resource, or environmental attributes) referenced in the policy.
- Policy Retrieval Point (PRP): A centralized storage of XACML access authorization policies, typically this is a database or filesystem.
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.