Authorization is becoming more important than ever as the growth in data, services, apps, and users shows no sign of slowing down. Making sure the right individuals have access to the right data under the right circumstances is paramount. In this presentation, I will discuss the different approaches to dynamic, runtime authorization.
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...Julian Hyde
A talk given at ACM SIGMOD 2018 in support of the paper <a href="https://arxiv.org/abs/1802.10233"> Calcite: A Foundational Framework for Optimized Query Processing Over Heterogeneous Data Sources</a>.
Apache Calcite is a foundational software framework that provides query processing, optimization, and query language support to many popular open-source data processing systems such as Apache Hive, Apache Storm, Apache Flink, Druid, and MapD. Calcite's architecture consists of a modular and extensible query optimizer with hundreds of built-in optimization rules, a query processor capable of processing a variety of query languages, an adapter architecture designed for extensibility, and support for heterogeneous data models and stores (relational, semi-structured, streaming, and geospatial). This flexible, embeddable, and extensible architecture is what makes Calcite an attractive choice for adoption in big-data frameworks. It is an active project that continues to introduce support for the new types of data sources, query languages, and approaches to query processing and optimization.
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
An introduction to Graph databases and in particular Neo4j, including where Neo4j lives on the CAP Scale in relation to other databases, the Graph data model and a very quick introduction to the Cypher Query Language.
Multi-Tenancy in Data Lakes are on the rise. When looking at multi-tenancy from the lens of data governance, a lot is changing the landscape, and the way we have been operating with respect to the governance model probably needs a rethink. It is time to think of Governance and its various entities as a first-class citizen in data architecture and bake it as part of the platform. We will look at the various aspects of governance, extending to accommodate the growing compliance and regulatory requirements and suggestive architectural approaches to realize the same.
The Business Case for Semantic Web Ontology & Knowledge GraphCambridge Semantics
In this webinar Mark Wallace, Ontologist & Developer, Semantic Arts, and Thomas Cook, Director of Sales AnzoGraph DB, Cambridge Semantics, explore the benefits of building a Semantic Knowledge Graph with RDF*, wrapping up with an airline data demo that illustrates the value of schema, inference and reasoning in it.
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...Julian Hyde
A talk given at ACM SIGMOD 2018 in support of the paper <a href="https://arxiv.org/abs/1802.10233"> Calcite: A Foundational Framework for Optimized Query Processing Over Heterogeneous Data Sources</a>.
Apache Calcite is a foundational software framework that provides query processing, optimization, and query language support to many popular open-source data processing systems such as Apache Hive, Apache Storm, Apache Flink, Druid, and MapD. Calcite's architecture consists of a modular and extensible query optimizer with hundreds of built-in optimization rules, a query processor capable of processing a variety of query languages, an adapter architecture designed for extensibility, and support for heterogeneous data models and stores (relational, semi-structured, streaming, and geospatial). This flexible, embeddable, and extensible architecture is what makes Calcite an attractive choice for adoption in big-data frameworks. It is an active project that continues to introduce support for the new types of data sources, query languages, and approaches to query processing and optimization.
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
An introduction to Graph databases and in particular Neo4j, including where Neo4j lives on the CAP Scale in relation to other databases, the Graph data model and a very quick introduction to the Cypher Query Language.
Multi-Tenancy in Data Lakes are on the rise. When looking at multi-tenancy from the lens of data governance, a lot is changing the landscape, and the way we have been operating with respect to the governance model probably needs a rethink. It is time to think of Governance and its various entities as a first-class citizen in data architecture and bake it as part of the platform. We will look at the various aspects of governance, extending to accommodate the growing compliance and regulatory requirements and suggestive architectural approaches to realize the same.
The Business Case for Semantic Web Ontology & Knowledge GraphCambridge Semantics
In this webinar Mark Wallace, Ontologist & Developer, Semantic Arts, and Thomas Cook, Director of Sales AnzoGraph DB, Cambridge Semantics, explore the benefits of building a Semantic Knowledge Graph with RDF*, wrapping up with an airline data demo that illustrates the value of schema, inference and reasoning in it.
5th in the AskTOM Office Hours series on graph database technologies. https://devgym.oracle.com/pls/apex/dg/office_hours/3084
PGQL: A Query Language for Graphs
Learn how to query graphs using PGQL, an expressive and intuitive graph query language that's a lot like SQL. With PGQL, it's easy to get going writing graph analysis queries to the database in a very short time. Albert and Oskar show what you can do with PGQL, and how to write and execute PGQL code.
An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.
PoolParty Semantic Suite is Semantic Web Company’s platform for enterprise information integration based on Linked Data principles. PoolParty consists of several components that process and manage RDF based data sets. These components have consistency requirements towards the data they work on.
Also, users have requirements towards the quality of the data they manage. We want to express constraints for both in a standard way throughout PoolParty components. SKOS-based PoolParty Thesaurus project data requires both consistency and quality.
OUG Scotland 2014 - NoSQL and MySQL - The best of both worldsAndrew Morgan
Understand how you can get the benefits you're looking for from NoSQL data stores without sacrificing the power and flexibility of the world's most popular open source database - MySQL.
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...Jean Ihm
2nd in the AskTOM Office Hours series on graph database technologies. https://devgym.oracle.com/pls/apex/dg/office_hours/3084
With property graphs in Oracle Database, you can perform powerful analysis on big data such as social networks, financial transactions, sensor networks, and more.
To use property graphs, first, you’ll need a graph model. For a new user, modeling and generating a suitable graph for an application domain can be a challenge. This month, we’ll describe key steps required to construct a meaningful graph, and offer a few tips on validating the generated graph.
Albert Godfrind (EMEA Solutions Architect), Zhe Wu (Architect), and Jean Ihm (Product Manager) walk you through, and take your questions.
What is NoSQL? How does it come to the picture? What are the types of NoSQL? Some basics of different NoSQL types? Differences between RDBMS and NoSQL. Pros and Cons of NoSQL.
What is MongoDB? What are the features of MongoDB? Nexus architecture of MongoDB. Data model and query model of MongoDB? Various MongoDB data management techniques. Indexing in MongoDB. A working example using MongoDB Java driver on Mac OSX.
As relational and NoSQL database continue to adopt characteristic of each other, it becomes more important to understand that ACID-BASE is a spectrum. Instead of making a binary choice between ACID and BASE, developers and designers choose a combination of varying levels of data consistency, availability and network partition tolerance. This presentation briefly describes the ACID-BASE spectrum, the CAP Theorem and how to find the right balance of trade-offs for your application.
Neo, wake up! SOA has you! :)
A complete accademic overview about the Web Oriented Architecture. A comparison between WOA and SOA is well described. What is ReST and why it is so important for the WOA. A proxy ReST-to-SOAP, based on Oracle Service Bus, is explained. Which products WOA lovers are searching for? This presentation has some "sponsored slides" from Oracle.
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
In this presentation, Mark Berg, my colleague at Axiomatics, presented the latest on the Abbreviated Language for Authorization (ALFA), OASIS’s standard for fine-grained authorization. You can read more at https://alfa.guide.
ALFA is a fine-grained authorization language that allows to implement any number of authorization models from RBAC to ReBAC and ABAC. It is dynamic, fully declarative, and conforms to the NIST ABAC standard.
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
During Nordic APIs 2024, I discussed the different authorization approaches to securing APIs. Much like authentication (via OAuth and other) is externalized from the API, so should authorization. There are different options ranging from ABAC (attribute-based access control) to ReBAC (relationship-based access control).
This presentation talks about the OWASP challenges developers are faced with and how externalized authorization can help address them in a clean and efficient way. We also look into an example of fine-grained authorization using ALFA, the Abbreviated Language For Authorization.
More Related Content
Similar to Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authorization
5th in the AskTOM Office Hours series on graph database technologies. https://devgym.oracle.com/pls/apex/dg/office_hours/3084
PGQL: A Query Language for Graphs
Learn how to query graphs using PGQL, an expressive and intuitive graph query language that's a lot like SQL. With PGQL, it's easy to get going writing graph analysis queries to the database in a very short time. Albert and Oskar show what you can do with PGQL, and how to write and execute PGQL code.
An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.
PoolParty Semantic Suite is Semantic Web Company’s platform for enterprise information integration based on Linked Data principles. PoolParty consists of several components that process and manage RDF based data sets. These components have consistency requirements towards the data they work on.
Also, users have requirements towards the quality of the data they manage. We want to express constraints for both in a standard way throughout PoolParty components. SKOS-based PoolParty Thesaurus project data requires both consistency and quality.
OUG Scotland 2014 - NoSQL and MySQL - The best of both worldsAndrew Morgan
Understand how you can get the benefits you're looking for from NoSQL data stores without sacrificing the power and flexibility of the world's most popular open source database - MySQL.
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.
How To Model and Construct Graphs with Oracle Database (AskTOM Office Hours p...Jean Ihm
2nd in the AskTOM Office Hours series on graph database technologies. https://devgym.oracle.com/pls/apex/dg/office_hours/3084
With property graphs in Oracle Database, you can perform powerful analysis on big data such as social networks, financial transactions, sensor networks, and more.
To use property graphs, first, you’ll need a graph model. For a new user, modeling and generating a suitable graph for an application domain can be a challenge. This month, we’ll describe key steps required to construct a meaningful graph, and offer a few tips on validating the generated graph.
Albert Godfrind (EMEA Solutions Architect), Zhe Wu (Architect), and Jean Ihm (Product Manager) walk you through, and take your questions.
What is NoSQL? How does it come to the picture? What are the types of NoSQL? Some basics of different NoSQL types? Differences between RDBMS and NoSQL. Pros and Cons of NoSQL.
What is MongoDB? What are the features of MongoDB? Nexus architecture of MongoDB. Data model and query model of MongoDB? Various MongoDB data management techniques. Indexing in MongoDB. A working example using MongoDB Java driver on Mac OSX.
As relational and NoSQL database continue to adopt characteristic of each other, it becomes more important to understand that ACID-BASE is a spectrum. Instead of making a binary choice between ACID and BASE, developers and designers choose a combination of varying levels of data consistency, availability and network partition tolerance. This presentation briefly describes the ACID-BASE spectrum, the CAP Theorem and how to find the right balance of trade-offs for your application.
Neo, wake up! SOA has you! :)
A complete accademic overview about the Web Oriented Architecture. A comparison between WOA and SOA is well described. What is ReST and why it is so important for the WOA. A proxy ReST-to-SOAP, based on Oracle Service Bus, is explained. Which products WOA lovers are searching for? This presentation has some "sponsored slides" from Oracle.
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
In this presentation, Mark Berg, my colleague at Axiomatics, presented the latest on the Abbreviated Language for Authorization (ALFA), OASIS’s standard for fine-grained authorization. You can read more at https://alfa.guide.
ALFA is a fine-grained authorization language that allows to implement any number of authorization models from RBAC to ReBAC and ABAC. It is dynamic, fully declarative, and conforms to the NIST ABAC standard.
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
During Nordic APIs 2024, I discussed the different authorization approaches to securing APIs. Much like authentication (via OAuth and other) is externalized from the API, so should authorization. There are different options ranging from ABAC (attribute-based access control) to ReBAC (relationship-based access control).
This presentation talks about the OWASP challenges developers are faced with and how externalized authorization can help address them in a clean and efficient way. We also look into an example of fine-grained authorization using ALFA, the Abbreviated Language For Authorization.
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
Tackling authorization in your apps and APIs shouldn't be hard. Learn how to decouple your app code from your authorization code, externalize to an authorization framework, leverage a policy language e.g. ALFA, and enable secure access to your APIs. In this presentation we compare and contrast different authorization approaches such as ABAC, ReBAC, Zanzibar, and more.
As of October 2023, the OpenID Foundation has launched a new working group to tackle challenges around externalized authorization. The group brings together vendors, customers, and R&D partners to drive the design and adoption of authorization patterns.
The purpose of the AuthZEN WG is to provide standard mechanisms, protocols and formats to communicate authorization related information between components within one organization or across organizations, which may have been developed or sourced from different entities.
The chairs can be reached at openid-specs-authzen@lists.openid.net
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
APIs have become the backbone of many services nowadays - from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services. To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective. This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
In this 20-minute presentation, David of the OASIS XACML TC and Axiomatics will show how XACML can be used to address fine-grained authorization, attribute-based access control, and policy-based access control using the REST, JSON, and ALFA profiles of XACML making authorization easy to create and consume.
This presentation was initially delivered at Oxford University in 2019.
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
In this presentation delivered at the European Identity Conference, I discuss how externalized dynamic authorization management based on attributes and policies (ABAC and PBAC) have evolved to cater to securing cloud capabilities such as S3, Databricks, and so on.
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.
With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
In this presentation delivered at the European Identity Conference, David looks at externalized authorization, attribute-based access control (ABAC) and XACML and how it can help implement privacy regulations.
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.
Authorization - it's not just about who you areDavid Brossard
Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.
Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.
The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”
During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.
In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
In this panel hosted by Ian Glazer, my colleague Gerry Gebel introduces the audience to XACML and its latest developments including REST, JSON, and more developer-friendly initiatives.
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
4. Confidential
4
axiomatics.com
axiomatics.com
RBAC, ABAC, PBAC, ReBAC
RBAC - 1992 - NIST (Ferraiolo et al.) - Role Based Access Control RBAC
ABAC - 2013 - NIST (Ferraiolo et al.) - Attribute Based Access Control ABAC
PBAC - more of a marketing term. Generally the same as as ABAC
ReBAC - 2007 - IEEE Paper by Carrie Gates - (PDF) Access Control Requirements for Web 2.0 Security and
Privacy
6. Confidential
6
axiomatics.com
axiomatics.com
ABAC & PBAC…
Basics
• Everything is attributes
• Policies combine attributes together
• Attributes can represent contextual data
o Time | Location | Risk | Device
• Policies are decoupled from data
o Retrieve your data from wherever it lives
Example
P: A person can fish non-endangered species
during daytime if they have a valid permit and
they have not exceeded their daily quota.
Q: Can Joe, the teenager on vacation, fish
trout in Glacier National Park at 2pm?
A: 🎣(Permit)
Location
Time
Identity
Age
Action
Resource
Conservation
7. Confidential
7
axiomatics.com
axiomatics.com
Examples of ABAC Policies
default allow := false
allow if user_is_owner
allow if {
user_is_employee
action_is_read
}
allow if {
user_is_employee
user_is_senior
action_is_update
}
allow if {
user_is_customer
action_is_read
not pet_is_adopted
}
policyset records{
target clause objectType=="record"
apply firstApplicable
policy viewRecords{
target clause actionId=="view"
apply firstApplicable
rule managers{
target clause user.role == "manager"
permit
}
rule owner{
permit
condition record.owner==user.employeeId
}
}}
permit (
principal == PhotoApp::User::"alice",
action == PhotoApp::Action::"viewPhoto",
resource == PhotoApp::Photo::"vacationPhoto.jpg"
);
permit (
principal == PhotoApp::User::"stacey",
action == PhotoApp::Action::"viewPhoto",
resource
)
when { resource in PhotoApp::Account::"stacey" };
Rego (OPA) ALFA AWS Cedar
8. Confidential
8
axiomatics.com
axiomatics.com
ALFA Policies can be visualized… 🥁as graphs (sort of)
Attorney View Court
Reporter Transcript DO ▼
-
-
-
-
Permit if the attorney is
assigned to the case.
Permit if the attorney is
in good standing.
Permit if the attorney is
licensed.
Permit if the attorney
checks are all good.
-
-
-
-
-
-
-
-
The attorney must be
assigned to the case.
The attorney must be in
good standing.
The attorney must be licensed
to practice in court.
The attorney must be
cleared.
✔
✔
✔
✔
DuP ▼
DuP ▼
DuP ▼
DuP ▼
9. Confidential
9
axiomatics.com
axiomatics.com
Graph-based AuthZ: ReBAC-first
ReBAC defines an authorization paradigm
where a subject's permission to access a
resource is defined by the presence of
relationships between those subjects and
resources.
Data becomes front and center.
Data is modelled onto a graph → Graph-based
authorization
In general, authorization is performed by
traversing the directed graph of relationships.
The nodes and edges of this graph are very
similar to triples in RDF.
11. Confidential
11
axiomatics.com
axiomatics.com
Stateful vs. Stateless
In order for graph-based systems to fully work, you need to suck in all the data you want to reason about.
This creates a stateful system
Generally, ABAC (Policy)-based systems rely on a P*P architecture with the notion of a PIP that fetches data
on-demand.
This creates a stateless system. These are easier to maintain but may introduce latency at runtime
12. Confidential
12
axiomatics.com
axiomatics.com
Pros & Cons
Pros of the Policy Approach
• ABAC/PBAC enables policy-as-code
o Easier for app owners to developers
• Policies mirror English more closely
• Some languages (ALFA) support conflict
resolution and combination natively
• More flexible: use any attributes
• No need to preload data
• Policies can express negative cases
Pros of the Graph Approach
• Zero-code
• Native support for relationships,
dependencies, and hierarchies
• Richer schema makes data reasoning easier
13. Confidential
13
axiomatics.com
axiomatics.com
Summary of Pros & Cons
ABAC ReBAC
Use case
ABAC allows the creation of fine-grained policies based on user and
resource attributes, significantly extending upon basic RBAC.
ReBAC is designed to represent hierarchies and nested relationships, making it the
most suitable choice for managing permissions for complex hierarchical
relationships.
Representation of Relationships
Can be cumbersome and verbose when managing access to hierarchical
structures where the nesting of resources under other resources is present. Excellent for representing hierarchies and nested relationships
Reverse Indices (who has access to
y, instead of does x have access to y) Implementing reverse indices is very difficult Naturally supports reverse indices (Thanks to ReBAC’s graph-like nature).
Performance
Often provides better query performance but can be heavier on data
mapping and loading.
Data mapping is usually easier, but the recursive nature of relationships can produce
inefficient queries.
Homebrew-Implementation
Complexity Medium complexity compared to other models* Highly complex
Granularity Extremely high level of granularity Higher granularity than RBAC, not as granular as ABAC**
Policy definition
Permissions can be defined en masse instead of individually for every
single resource by using teams and groups. They can also be
added/removed from an application without requiring complex data
migrations (e.g., adding/removing permissions for each individual user
record)***
Auditing difficulty More complex than RBAC, yet still easily auditable if set up correctly.
The complexity and recursive nature of ReBAC policies can make auditing
challenging.
(courtesy of Permit.io)
14. Confidential
14
axiomatics.com
axiomatics.com
OpenID AuthZEN: Providing Interoperability between approaches
• Different authorization implementations (graph, ABAC…) do not all use the same interface
• Most are 90% the same
• Within the OpenID AuthZEN Working Group, we decided to standardize across all solutions
• Step 1
o Simple Permit/Deny request/response protocol
• Step 2
o Multiple decision approach: bundle multiple requests into a single one and receive multiple decisions back
• Other WIP
o Design patterns (integration with OAuth-style approaches)
o Support obligations in responses
o ‘Search’ API
• Do you want to take part?
o OpenID AuthZEN
o Join us at the Identiverse AuthZEN Interop on 5/28 in Vegas.
o Try the Axiomatics AuthZEN PDP at https://pdp.alfa.guide and using the Postman Collection
15. Confidential
15
axiomatics.com
axiomatics.com
Pick the best of both worlds
You can have vanilla and chocolate ice cream
together (and also hold a cone of pistachio ice
cream)
Platforms like OpenFGA, Topaz, and Axiomatics
provide a combined approach:
• Topaz uses a mix of OPA and ReBAC
• OpenFGA uses Google CEL
• Axiomatics can model relationships
through attributes.
16. Confidential
16
axiomatics.com
axiomatics.com
Upcoming Events
Identiverse 2024
▶ The Authorization Conversation
▶ Navigating the Intersection: IAM and OWASP in the
Cybersecurity Landscape
▶ Don’t Ask for Forgiveness, Ask for Permission!
European Identity Conference 2024
▶ Unpacking Authorization Approaches: Policy as Code
Versus Traditional Business Needs
▶ How AI Can Help IAM Deliver Better and Stronger
Authorization
▶ Panel: OpenID AuthZEN: Standards for Modern
Authorization
▶ Panel: Why Authorization Standardization is Imperative
▶ Panel: Policy Engines in Practice
Identiverse
May 28th - 31st
Las Vegas, USA
European
Identity
Conference
June 4th - 7th
Berlin, Germany
17. Confidential
17
axiomatics.com
axiomatics.com
Additional Reading
• Authorization Concepts (Auth0)
• Intro to Attribute Based Access Control (ABAC)
• ALFA - the Abbreviated Language for Authorization
• The Authorization Substack Newsletter
• IIW 2023 - Introduction to ALFA
• 📺The Holy Grail of IAM: Getting to Grips with Authorization