The document discusses data entitlement in an API-centric architecture, emphasizing the importance of authentication, authorization, and managing permissions effectively. It highlights complexities such as maintenance challenges and the need for a modern entitlement design that is reusable, centrally manageable, and responsive to changing business needs. Additionally, it outlines the benefits of using a standardized approach with mechanisms like XACML for policy-based entitlement and suggests that a data service mindset is essential for managing entitlements.

1. Data Entitlement in an API-Centric
Architecture
04/02/2015
Nuwan Bandara
Senior Technical Lead

2. Entitlement in general
John doe need to reed web page
John authenticates with the system
System checks John’s role and associated permissions
If allowed john is presented with the page
traditional
application
authenticate
authorize
access

3. API Centric Entitlements
John doe need to reed resource foo
John authenticates with the system
System checks John’s role and associated permissions
If allowed john is presented with the resource
API Gateway
authenticate
authorize
access

4. Common Aspects of the typical use case
Involvement of a actor (john)
Involvement of a resource (page / data)
Use of permissions
Use of an attribute (role)
Involvement of an action (READ)

5. Entitlement complexities
Complex rules
Too many combinations
Over time maintenance nightmare (a role per user / too many granular permissions)
Too many changes (governance nightmare)
Application centric

6. Who should provide entitlements

7. Traditional design

8. Where does the rules exist ?
At the application layer ?
At the API layer ?
At the data access layer ?
application API gateway data services

9. Modern entitlement design principals
Re-usability
Application / API neutral
Loosely coupled to the underline system
Centrally manageable
performance

10. Data entitlement at the data access layer

11. Challengers
Externalized entitlement engines are often seen as an unnecessary task and an overhead
Needs fresh thinking and often re-writing the applications / APIs in a permission agnostic
manner
Must be standards driven
Need to optimize for performance

12. Benefits
Benefits are more long term
Helps organizations adapt to changing business needs, and data security requirements
easier
Centralized management of platform level policies
Ideal for heterogeneous systems – Unified access model to entitlements data
Service mindset – everything is a service, including entitlements

13. Entitlements at the API Layer
application api gateway
entitlement
engine
data services
authenticate
authorize
data access

14. Whats new in entitlement with regard to APIs
APIs has define interactions (GET/PUT/POST/DELETE etc)
APIs has token based authentication
APIs has associated concepts (throttling / billing )
APIs are typically centrally managed

15. Entitlement patterns for API architectures
Attribute based access control
User Doe can READ resource Foo
Policy based access control
User Doe can READ resource Foo only 10 time per day

16. Entitlement policies and decision engines
XACML is the standard for policy based
entitlement
XACML provides the rich entitlement
rule authoring capability
XACML policies are evaluated on a
decision engine
XAML has a defined sequence in
integration to applications and APIs
PEP / PDP / PAP / PIP

17. Putting it all together

18. API gateway flow for authorization

19. Sample policy

20. Summary
Data entitlement is central to an API architecture
Entitlement rules needs to be loosely coupled to the API runtime
Entitlement engine has to be capable to evaluating granular rules
Data access has to be controlled via an entitlement engine as the permutation and
combinations for data access can grow massively over time

21. Thank You