SlideShare a Scribd company logo

Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authorization

Download as PPTX, PDF
David Brossard
David Brossard

Authorization is becoming more important than ever as the growth in data, services, apps, and users shows no sign of slowing down. Making sure the right individuals have access to the right data under the right circumstances is paramount. In this presentation, I will discuss the different approaches to dynamic, runtime authorization.

Technology
1 of 18
Confidential 1 axiomatics.com Policies, Graphs, or Relationships What approach works best? David Brossard, May 2024
Confidential 2 axiomatics.com
Confidential 3 axiomatics.com axiomatics.com A Taxonomy of Authorization Models
Confidential 4 axiomatics.com axiomatics.com RBAC, ABAC, PBAC, ReBAC RBAC - 1992 - NIST (Ferraiolo et al.) - Role Based Access Control RBAC ABAC - 2013 - NIST (Ferraiolo et al.) - Attribute Based Access Control ABAC PBAC - more of a marketing term. Generally the same as as ABAC ReBAC - 2007 - IEEE Paper by Carrie Gates - (PDF) Access Control Requirements for Web 2.0 Security and Privacy
Confidential 5 axiomatics.com axiomatics.com Two camps Policy-First ● OASIS XACML ● Open Policy Agent Rego ● ALFA ● AWS Cedar ● OSO Polar ● Cerbos Relationship-first ● Zanzibar ( just a model) ● NGAC ● OpenFGA ● SpiceDB (AuthZed) ● 3Edges ● Topaz (hybrid model)
Confidential 6 axiomatics.com axiomatics.com ABAC & PBAC… Basics • Everything is attributes • Policies combine attributes together • Attributes can represent contextual data o Time | Location | Risk | Device • Policies are decoupled from data o Retrieve your data from wherever it lives Example P: A person can fish non-endangered species during daytime if they have a valid permit and they have not exceeded their daily quota. Q: Can Joe, the teenager on vacation, fish trout in Glacier National Park at 2pm? A: 🎣(Permit) Location Time Identity Age Action Resource Conservation
Confidential 7 axiomatics.com axiomatics.com Examples of ABAC Policies default allow := false allow if user_is_owner allow if { user_is_employee action_is_read } allow if { user_is_employee user_is_senior action_is_update } allow if { user_is_customer action_is_read not pet_is_adopted } policyset records{ target clause objectType=="record" apply firstApplicable policy viewRecords{ target clause actionId=="view" apply firstApplicable rule managers{ target clause user.role == "manager" permit } rule owner{ permit condition record.owner==user.employeeId } }} permit ( principal == PhotoApp::User::"alice", action == PhotoApp::Action::"viewPhoto", resource == PhotoApp::Photo::"vacationPhoto.jpg" ); permit ( principal == PhotoApp::User::"stacey", action == PhotoApp::Action::"viewPhoto", resource ) when { resource in PhotoApp::Account::"stacey" }; Rego (OPA) ALFA AWS Cedar
Confidential 8 axiomatics.com axiomatics.com ALFA Policies can be visualized… 🥁as graphs (sort of) Attorney View Court Reporter Transcript DO ▼ - - - - Permit if the attorney is assigned to the case. Permit if the attorney is in good standing. Permit if the attorney is licensed. Permit if the attorney checks are all good. - - - - - - - - The attorney must be assigned to the case. The attorney must be in good standing. The attorney must be licensed to practice in court. The attorney must be cleared. ✔ ✔ ✔ ✔ DuP ▼ DuP ▼ DuP ▼ DuP ▼
Confidential 9 axiomatics.com axiomatics.com Graph-based AuthZ: ReBAC-first ReBAC defines an authorization paradigm where a subject's permission to access a resource is defined by the presence of relationships between those subjects and resources. Data becomes front and center. Data is modelled onto a graph → Graph-based authorization In general, authorization is performed by traversing the directed graph of relationships. The nodes and edges of this graph are very similar to triples in RDF.
Confidential 10 axiomatics.com axiomatics.com Examples of Graph-based systems • Aserto (Topaz) • Authzed (SpiceDB) • OpenFGA (Okta) • 3Edges • NGAC (NIST implementation) 3Edges Example
Confidential 11 axiomatics.com axiomatics.com Stateful vs. Stateless In order for graph-based systems to fully work, you need to suck in all the data you want to reason about. This creates a stateful system Generally, ABAC (Policy)-based systems rely on a P*P architecture with the notion of a PIP that fetches data on-demand. This creates a stateless system. These are easier to maintain but may introduce latency at runtime
Confidential 12 axiomatics.com axiomatics.com Pros & Cons Pros of the Policy Approach • ABAC/PBAC enables policy-as-code o Easier for app owners to developers • Policies mirror English more closely • Some languages (ALFA) support conflict resolution and combination natively • More flexible: use any attributes • No need to preload data • Policies can express negative cases Pros of the Graph Approach • Zero-code • Native support for relationships, dependencies, and hierarchies • Richer schema makes data reasoning easier
Confidential 13 axiomatics.com axiomatics.com Summary of Pros & Cons ABAC ReBAC Use case ABAC allows the creation of fine-grained policies based on user and resource attributes, significantly extending upon basic RBAC. ReBAC is designed to represent hierarchies and nested relationships, making it the most suitable choice for managing permissions for complex hierarchical relationships. Representation of Relationships Can be cumbersome and verbose when managing access to hierarchical structures where the nesting of resources under other resources is present. Excellent for representing hierarchies and nested relationships Reverse Indices (who has access to y, instead of does x have access to y) Implementing reverse indices is very difficult Naturally supports reverse indices (Thanks to ReBAC’s graph-like nature). Performance Often provides better query performance but can be heavier on data mapping and loading. Data mapping is usually easier, but the recursive nature of relationships can produce inefficient queries. Homebrew-Implementation Complexity Medium complexity compared to other models* Highly complex Granularity Extremely high level of granularity Higher granularity than RBAC, not as granular as ABAC** Policy definition Permissions can be defined en masse instead of individually for every single resource by using teams and groups. They can also be added/removed from an application without requiring complex data migrations (e.g., adding/removing permissions for each individual user record)*** Auditing difficulty More complex than RBAC, yet still easily auditable if set up correctly. The complexity and recursive nature of ReBAC policies can make auditing challenging. (courtesy of Permit.io)
Confidential 14 axiomatics.com axiomatics.com OpenID AuthZEN: Providing Interoperability between approaches • Different authorization implementations (graph, ABAC…) do not all use the same interface • Most are 90% the same • Within the OpenID AuthZEN Working Group, we decided to standardize across all solutions • Step 1 o Simple Permit/Deny request/response protocol • Step 2 o Multiple decision approach: bundle multiple requests into a single one and receive multiple decisions back • Other WIP o Design patterns (integration with OAuth-style approaches) o Support obligations in responses o ‘Search’ API • Do you want to take part? o OpenID AuthZEN o Join us at the Identiverse AuthZEN Interop on 5/28 in Vegas. o Try the Axiomatics AuthZEN PDP at https://pdp.alfa.guide and using the Postman Collection
Confidential 15 axiomatics.com axiomatics.com Pick the best of both worlds You can have vanilla and chocolate ice cream together (and also hold a cone of pistachio ice cream) Platforms like OpenFGA, Topaz, and Axiomatics provide a combined approach: • Topaz uses a mix of OPA and ReBAC • OpenFGA uses Google CEL • Axiomatics can model relationships through attributes.
Confidential 16 axiomatics.com axiomatics.com Upcoming Events Identiverse 2024 ▶ The Authorization Conversation ▶ Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape ▶ Don’t Ask for Forgiveness, Ask for Permission! European Identity Conference 2024 ▶ Unpacking Authorization Approaches: Policy as Code Versus Traditional Business Needs ▶ How AI Can Help IAM Deliver Better and Stronger Authorization ▶ Panel: OpenID AuthZEN: Standards for Modern Authorization ▶ Panel: Why Authorization Standardization is Imperative ▶ Panel: Policy Engines in Practice Identiverse May 28th - 31st Las Vegas, USA European Identity Conference June 4th - 7th Berlin, Germany
Confidential 17 axiomatics.com axiomatics.com Additional Reading • Authorization Concepts (Auth0) • Intro to Attribute Based Access Control (ABAC) • ALFA - the Abbreviated Language for Authorization • The Authorization Substack Newsletter • IIW 2023 - Introduction to ALFA • 📺The Holy Grail of IAM: Getting to Grips with Authorization
Confidential 18 axiomatics.com Thank you

Recommended

Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Julian Hyde
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Neo, Titan & Cassandra
Neo, Titan & CassandraNeo, Titan & Cassandra
Neo, Titan & Cassandra
johnrjenson
 
Gerry McNicol Graph Databases
Gerry McNicol Graph DatabasesGerry McNicol Graph Databases
Gerry McNicol Graph Databases
Gerry McNicol
 
Data governance datalakes_multitenancy
Data governance datalakes_multitenancyData governance datalakes_multitenancy
Data governance datalakes_multitenancy
Sathish K S
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
Matthew Vaughn
 
CockroachDB
CockroachDBCockroachDB
CockroachDB
andrei moga
 
The Business Case for Semantic Web Ontology & Knowledge Graph
The Business Case for Semantic Web Ontology & Knowledge GraphThe Business Case for Semantic Web Ontology & Knowledge Graph
The Business Case for Semantic Web Ontology & Knowledge Graph
Cambridge Semantics
 

Recommended

Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...
Julian Hyde
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Neo, Titan & Cassandra
Neo, Titan & CassandraNeo, Titan & Cassandra
Neo, Titan & Cassandra
johnrjenson
 
Gerry McNicol Graph Databases
Gerry McNicol Graph DatabasesGerry McNicol Graph Databases
Gerry McNicol Graph Databases
Gerry McNicol
 
Data governance datalakes_multitenancy
Data governance datalakes_multitenancyData governance datalakes_multitenancy
Data governance datalakes_multitenancy
Sathish K S
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
Matthew Vaughn
 
CockroachDB
CockroachDBCockroachDB
CockroachDB
andrei moga
 
The Business Case for Semantic Web Ontology & Knowledge Graph
The Business Case for Semantic Web Ontology & Knowledge GraphThe Business Case for Semantic Web Ontology & Knowledge Graph
The Business Case for Semantic Web Ontology & Knowledge Graph
Cambridge Semantics
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
Jean Ihm
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
David Brossard
 
SHACL-based data life cycle management
SHACL-based data life cycle managementSHACL-based data life cycle management
SHACL-based data life cycle management
Connected Data World
 
OrientDB the database for the web 1.1
OrientDB the database for the web 1.1OrientDB the database for the web 1.1
OrientDB the database for the web 1.1
Luca Garulli
 
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worldsOUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
Andrew Morgan
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
Serhat Dirik
 
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptxNeo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
MySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIMySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPI
Rui Quelhas
 
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
Jean Ihm
 
NoSQL-Overview
NoSQL-OverviewNoSQL-Overview
NoSQL-OverviewRanjeet Jha - OCM-JEA
 
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
ChrisJohnsonBidler
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital.AI
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
Red Hat
 
Benchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging ServicesBenchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging Services
Tanu Malik
 
NoSQL Basics and MongDB
NoSQL Basics and MongDBNoSQL Basics and MongDB
NoSQL Basics and MongDB
Shamima Yeasmin Mukta
 
ACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False DichotomyACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False Dichotomy
Dan Sullivan, Ph.D.
 
Beyond Relational
Beyond RelationalBeyond Relational
Beyond Relational
Lynn Langit
 
Woa. Reloaded
Woa. ReloadedWoa. Reloaded
Woa. Reloaded
Emiliano Pecis
 
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Codemotion
 
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
David Brossard
 

More Related Content

Similar to Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authorization

PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
Jean Ihm
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
David Brossard
 
SHACL-based data life cycle management
SHACL-based data life cycle managementSHACL-based data life cycle management
SHACL-based data life cycle management
Connected Data World
 
OrientDB the database for the web 1.1
OrientDB the database for the web 1.1OrientDB the database for the web 1.1
OrientDB the database for the web 1.1
Luca Garulli
 
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worldsOUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
Andrew Morgan
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
Serhat Dirik
 
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptxNeo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
MySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIMySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPI
Rui Quelhas
 
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
Jean Ihm
 
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
ChrisJohnsonBidler
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital.AI
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
Red Hat
 
Benchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging ServicesBenchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging Services
Tanu Malik
 
NoSQL Basics and MongDB
NoSQL Basics and MongDBNoSQL Basics and MongDB
NoSQL Basics and MongDB
Shamima Yeasmin Mukta
 
ACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False DichotomyACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False Dichotomy
Dan Sullivan, Ph.D.
 
Beyond Relational
Beyond RelationalBeyond Relational
Beyond Relational
Lynn Langit
 
Woa. Reloaded
Woa. ReloadedWoa. Reloaded
Woa. Reloaded
Emiliano Pecis
 
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Codemotion
 

Similar to Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authorization (20)

PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
SHACL-based data life cycle management
SHACL-based data life cycle managementSHACL-based data life cycle management
SHACL-based data life cycle management
 
OrientDB the database for the web 1.1
OrientDB the database for the web 1.1OrientDB the database for the web 1.1
OrientDB the database for the web 1.1
 
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worldsOUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
OUG Scotland 2014 - NoSQL and MySQL - The best of both worlds
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
 
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptxNeo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
Neo4j & AWS Bedrock workshop at GraphSummit London 14 Nov 2023.pptx
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
MySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIMySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPI
 
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...
 
NoSQL-Overview
NoSQL-OverviewNoSQL-Overview
NoSQL-Overview
 
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
Serverless Chicago - Datomic Cloud and AWS AppSync - April 26 2018
 
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and SparkVital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
Vital AI MetaQL: Queries Across NoSQL, SQL, Sparql, and Spark
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
Benchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging ServicesBenchmarking Cloud-based Tagging Services
Benchmarking Cloud-based Tagging Services
 
NoSQL Basics and MongDB
NoSQL Basics and MongDBNoSQL Basics and MongDB
NoSQL Basics and MongDB
 
ACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False DichotomyACID vs BASE in NoSQL: Another False Dichotomy
ACID vs BASE in NoSQL: Another False Dichotomy
 
Beyond Relational
Beyond RelationalBeyond Relational
Beyond Relational
 
Woa. Reloaded
Woa. ReloadedWoa. Reloaded
Woa. Reloaded
 
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...
 

More from David Brossard

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
David Brossard
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
David Brossard
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
David Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
 

More from David Brossard (16)

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authorization

  • 1. Confidential 1 axiomatics.com Policies, Graphs, or Relationships What approach works best? David Brossard, May 2024
  • 4. Confidential 4 axiomatics.com axiomatics.com RBAC, ABAC, PBAC, ReBAC RBAC - 1992 - NIST (Ferraiolo et al.) - Role Based Access Control RBAC ABAC - 2013 - NIST (Ferraiolo et al.) - Attribute Based Access Control ABAC PBAC - more of a marketing term. Generally the same as as ABAC ReBAC - 2007 - IEEE Paper by Carrie Gates - (PDF) Access Control Requirements for Web 2.0 Security and Privacy
  • 5. Confidential 5 axiomatics.com axiomatics.com Two camps Policy-First ● OASIS XACML ● Open Policy Agent Rego ● ALFA ● AWS Cedar ● OSO Polar ● Cerbos Relationship-first ● Zanzibar ( just a model) ● NGAC ● OpenFGA ● SpiceDB (AuthZed) ● 3Edges ● Topaz (hybrid model)
  • 6. Confidential 6 axiomatics.com axiomatics.com ABAC & PBAC… Basics • Everything is attributes • Policies combine attributes together • Attributes can represent contextual data o Time | Location | Risk | Device • Policies are decoupled from data o Retrieve your data from wherever it lives Example P: A person can fish non-endangered species during daytime if they have a valid permit and they have not exceeded their daily quota. Q: Can Joe, the teenager on vacation, fish trout in Glacier National Park at 2pm? A: 🎣(Permit) Location Time Identity Age Action Resource Conservation
  • 7. Confidential 7 axiomatics.com axiomatics.com Examples of ABAC Policies default allow := false allow if user_is_owner allow if { user_is_employee action_is_read } allow if { user_is_employee user_is_senior action_is_update } allow if { user_is_customer action_is_read not pet_is_adopted } policyset records{ target clause objectType=="record" apply firstApplicable policy viewRecords{ target clause actionId=="view" apply firstApplicable rule managers{ target clause user.role == "manager" permit } rule owner{ permit condition record.owner==user.employeeId } }} permit ( principal == PhotoApp::User::"alice", action == PhotoApp::Action::"viewPhoto", resource == PhotoApp::Photo::"vacationPhoto.jpg" ); permit ( principal == PhotoApp::User::"stacey", action == PhotoApp::Action::"viewPhoto", resource ) when { resource in PhotoApp::Account::"stacey" }; Rego (OPA) ALFA AWS Cedar
  • 8. Confidential 8 axiomatics.com axiomatics.com ALFA Policies can be visualized… 🥁as graphs (sort of) Attorney View Court Reporter Transcript DO ▼ - - - - Permit if the attorney is assigned to the case. Permit if the attorney is in good standing. Permit if the attorney is licensed. Permit if the attorney checks are all good. - - - - - - - - The attorney must be assigned to the case. The attorney must be in good standing. The attorney must be licensed to practice in court. The attorney must be cleared. ✔ ✔ ✔ ✔ DuP ▼ DuP ▼ DuP ▼ DuP ▼
  • 9. Confidential 9 axiomatics.com axiomatics.com Graph-based AuthZ: ReBAC-first ReBAC defines an authorization paradigm where a subject's permission to access a resource is defined by the presence of relationships between those subjects and resources. Data becomes front and center. Data is modelled onto a graph → Graph-based authorization In general, authorization is performed by traversing the directed graph of relationships. The nodes and edges of this graph are very similar to triples in RDF.
  • 10. Confidential 10 axiomatics.com axiomatics.com Examples of Graph-based systems • Aserto (Topaz) • Authzed (SpiceDB) • OpenFGA (Okta) • 3Edges • NGAC (NIST implementation) 3Edges Example
  • 11. Confidential 11 axiomatics.com axiomatics.com Stateful vs. Stateless In order for graph-based systems to fully work, you need to suck in all the data you want to reason about. This creates a stateful system Generally, ABAC (Policy)-based systems rely on a P*P architecture with the notion of a PIP that fetches data on-demand. This creates a stateless system. These are easier to maintain but may introduce latency at runtime
  • 12. Confidential 12 axiomatics.com axiomatics.com Pros & Cons Pros of the Policy Approach • ABAC/PBAC enables policy-as-code o Easier for app owners to developers • Policies mirror English more closely • Some languages (ALFA) support conflict resolution and combination natively • More flexible: use any attributes • No need to preload data • Policies can express negative cases Pros of the Graph Approach • Zero-code • Native support for relationships, dependencies, and hierarchies • Richer schema makes data reasoning easier
  • 13. Confidential 13 axiomatics.com axiomatics.com Summary of Pros & Cons ABAC ReBAC Use case ABAC allows the creation of fine-grained policies based on user and resource attributes, significantly extending upon basic RBAC. ReBAC is designed to represent hierarchies and nested relationships, making it the most suitable choice for managing permissions for complex hierarchical relationships. Representation of Relationships Can be cumbersome and verbose when managing access to hierarchical structures where the nesting of resources under other resources is present. Excellent for representing hierarchies and nested relationships Reverse Indices (who has access to y, instead of does x have access to y) Implementing reverse indices is very difficult Naturally supports reverse indices (Thanks to ReBAC’s graph-like nature). Performance Often provides better query performance but can be heavier on data mapping and loading. Data mapping is usually easier, but the recursive nature of relationships can produce inefficient queries. Homebrew-Implementation Complexity Medium complexity compared to other models* Highly complex Granularity Extremely high level of granularity Higher granularity than RBAC, not as granular as ABAC** Policy definition Permissions can be defined en masse instead of individually for every single resource by using teams and groups. They can also be added/removed from an application without requiring complex data migrations (e.g., adding/removing permissions for each individual user record)*** Auditing difficulty More complex than RBAC, yet still easily auditable if set up correctly. The complexity and recursive nature of ReBAC policies can make auditing challenging. (courtesy of Permit.io)
  • 14. Confidential 14 axiomatics.com axiomatics.com OpenID AuthZEN: Providing Interoperability between approaches • Different authorization implementations (graph, ABAC…) do not all use the same interface • Most are 90% the same • Within the OpenID AuthZEN Working Group, we decided to standardize across all solutions • Step 1 o Simple Permit/Deny request/response protocol • Step 2 o Multiple decision approach: bundle multiple requests into a single one and receive multiple decisions back • Other WIP o Design patterns (integration with OAuth-style approaches) o Support obligations in responses o ‘Search’ API • Do you want to take part? o OpenID AuthZEN o Join us at the Identiverse AuthZEN Interop on 5/28 in Vegas. o Try the Axiomatics AuthZEN PDP at https://pdp.alfa.guide and using the Postman Collection
  • 15. Confidential 15 axiomatics.com axiomatics.com Pick the best of both worlds You can have vanilla and chocolate ice cream together (and also hold a cone of pistachio ice cream) Platforms like OpenFGA, Topaz, and Axiomatics provide a combined approach: • Topaz uses a mix of OPA and ReBAC • OpenFGA uses Google CEL • Axiomatics can model relationships through attributes.
  • 16. Confidential 16 axiomatics.com axiomatics.com Upcoming Events Identiverse 2024 ▶ The Authorization Conversation ▶ Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape ▶ Don’t Ask for Forgiveness, Ask for Permission! European Identity Conference 2024 ▶ Unpacking Authorization Approaches: Policy as Code Versus Traditional Business Needs ▶ How AI Can Help IAM Deliver Better and Stronger Authorization ▶ Panel: OpenID AuthZEN: Standards for Modern Authorization ▶ Panel: Why Authorization Standardization is Imperative ▶ Panel: Policy Engines in Practice Identiverse May 28th - 31st Las Vegas, USA European Identity Conference June 4th - 7th Berlin, Germany
  • 17. Confidential 17 axiomatics.com axiomatics.com Additional Reading • Authorization Concepts (Auth0) • Intro to Attribute Based Access Control (ABAC) • ALFA - the Abbreviated Language for Authorization • The Authorization Substack Newsletter • IIW 2023 - Introduction to ALFA • 📺The Holy Grail of IAM: Getting to Grips with Authorization