Tackling authorization in your apps and APIs shouldn't be hard. Learn how to decouple your app code from your authorization code, externalize to an authorization framework, leverage a policy language e.g. ALFA, and enable secure access to your APIs. In this presentation we compare and contrast different authorization approaches such as ABAC, ReBAC, Zanzibar, and more.

1. JUNE 2021
The Holy Grail of
IAM: Getting to
Grips with
Authorization
David Brossard
Sr. Director, Prod. Mgmt, Identity,
Salesforce

2. JUNE 2021
England Somewhere Online
2021 A.D.

3. JUNE 2021
HTTP 401
Unauthorized Not quite... HTTP 401 is a
misnomer...
What you meant is 403
Authorization is when you get authentication wrong!

4. JUNE 2021
OAuth
Open Authorization Not quite... OAuth is about access
delegation: I grant an
entity X access to some
of my data / processes in
another entity Y.
So, surely, OAuth is the de facto standard for
authorization, right?

5. JUNE 2021
Authorization...
is about granting or denying an entity access to another entity
The pesky French

6. JUNE 2021
Definition & Requirements
Background

7. JUNE 2021
What is Authorization?
TL; DR Authentication confirms that users are who they say they are.
Authorization gives those users permission to access a resource.
More broadly…
Authentication is about proving a claim about someone or something.
Usually it’s a person’s identity. But it could also be an attribute of that
person e.g. their date of birth.
Authorization is the process of granting (or denying) someone or
something access to something else. Authorization needs to consider
what we know about the requestor and the requested item before
granting access.

8. JUNE 2021
Why the Holy
Grail?
Unlike authentication, authorization is not
just about who you are.

9. JUNE 2021
Grant or deny
users access to
entities
Use a framework
that can adapt to
future needs
What could
happen? What
did happen?
1. Configurable &
Decoupled
2. Future-Proof 5. Auditable
Five Authorization Requirements

10. JUNE 2021
Authorization Venn
Identity Entity
Context

11. JUNE 2021
Can a user view
accounts (as a
whole)?
Can Alice view
account #123?
Which accounts
can Alice view?
Functional Transactional Data-centric
What are the different kinds?

12. JUNE 2021
The enterprise
defines a set of
policies that
determine what
should happen.
Users define who
can access their
data & processes
Enterprise-driven User-driven
Who defines authorization?

13. JUNE 2021
Access rights are
evaluated just-in-
time
Access rights are
granted when
the user is
created
Runtime Design-time
When do we authorize?

14. JUNE 2021
Rule of thumb: if you want to report on it
and audit it, then it belongs to the
authorization realm.
Authorization Business Logic
Drawing the line between...

15. JUNE 2021
Why even bother?
Roles are
enough
I can do all
of that in
code!
I said
policies!

16. JUNE 2021
Models, Standards, &
Frameworks
Existing Approaches

17. JUNE 2021
A few definitions
● Model: abstract approach to
implementing authorization e.g. ACL,
RBAC, and ABAC
● Standard: a formally approved set of
specifications that define how to
address authorization e.g. SAML,
XACML, OAuth…
● Framework: a technical
implementation that handles
authorization without being a standard
itself e.g. Ruby cancancan, OPA
JUNE 2021
Celestial
globe
with
stand,
British
Museum

18. JUNE 2021
Ye Olde Authorization Graph
Authorization
Standards
Frameworks
OASIS
IETF
NIST
Kantara
SAML
XACML
CNCF
OAuth
JWT AT
RAR
GNAP
JSON
Profile
ALFA
NGAC
Models
RBAC ABAC
OPA
UMA
NIST
Language-specific
Vendor-specific
AWS ABAC
SDDL
Spring Security
Ruby Cancancan
...
Polar (Oso)
HL7
FHIR
Industry
Standards
ACL

19. JUNE 2021
Standards, Frameworks & Models Timeline
XACML
(also SAML)
(still not dead)
1992 2001
NGAC
INCITS 499
2013
UMA v.1
2015
2014
ALFA
Profile of
XACML
2012 2017
RBAC ABAC
Open Policy
Agent
(Rego)
2016
OAuth 2.0
JSON
Profile of
XACML
2020
GNAP*
OAuth 2.0
(WIP)
JWT AT
OAuth 2.0
(WIP)
2021
OAuth
RAR
OAuth 2.0
(WIP)
Zanzibar
(Google)
2019
UMA v.2
2018
ACL
*I wasn’t born then so I cannot remember but I think Gerry Gebel was around
Years ago*

20. JUNE 2021
● RBAC
○ 1992: concept formalized (Ferraiolo et al)
○ 2000: original proposal
○ 2004: ANSI/INCITS 359-2004 Role Based
Access Control.
■ rev 2012
○ Identity-based
○ Roles, groups, and hierarchies
● ABAC
○ Introducing policies,
○ attributes, and
○ a decoupled architecture
● NGAC
○ Introduces relations
○ functions, and
○ a graph-based approach
The Knights who
say NIST
NIst

21. JUNE 2021
Identity-derived AuthZ
Behold your
humble servant, Sir
Lancelot of
Camelot.
I am a Knight of
King Arthur, sir.
Standards
OASIS IETF
Kantara
SAML OAuth JWT AT
RAR GNAP
UMA

22. JUNE 2021
GNAP in a in a nut 🥥 shell
● Grant Negotiation and Authorization Protocol
○ Protocol for negotiating access
○ Methods for interacting with humans
○ Validating and verifying the client software
○ Methods for binding keys to message requests
○ Data model of what’s being requested
● Dedicated protocol that addresses additional flows to OAuth
● Token-based (just like OAuth)
● Does not address access control per se
○ Still focuses on access delegation
● Strong focus on access delegation
○ “[...] protocol allows a piece of software, the client instance, to request delegated authorization to
resource servers and to request direct information.”

23. JUNE 2021
JWT AT in a nut 🥥 shell
● JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (IETF Draft)
○ Defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting
an OAuth 2.0 access token as well as for client authentication.
● JWT claims to convey the information needed to support a common set of use cases:
○ token validation
○ transporting authorization information in forms of scopes and entitlements
○ carrying identity information about the subject…
● Interoperability could be easily achieved by standardizing on a common set of claims and
validation rules.
The coconut
It is I, Arthur...
son of Uther Pendragon
… from the castle of Camelot
King of the Britons
… defeator of the Saxons
sovereign of all England!

24. JUNE 2021
OAuth 2.0 Rich Authorization Requests
(RAR)
● RAR specifies a new parameter authorization_details that is used to carry fine grained
authorization data in the OAuth authorization request.
● Why?
○ OAuth 2.0 defines the parameter "scope" that allows clients to specify the requested scope, i.e., the
permission, of an access token.
○ This mechanism is sufficient to implement static scenarios and coarse-grained authorization
requests e.g. "give me read access to the resource owner's profile"
○ it is not sufficient to specify fine-grained authorization requirements, such as "please let me make a
payment with the amount of 45 Euros" or "please give me read access to folder A and write access
to file X".
● A RAR is very similar to a XACML JSON authorization request and an OPA request
● RAR defines authorization data elements types: type, locations, actions, datatypes,
identifier
● RAR can be combined with scopes and OpenID Connect claims
○ The details of how the AS combines these parameters are specific to the APIs being protected and
outside the scope of this specification.

25. JUNE 2021
Example
[
{
"type": "account_information",
"actions": [
"list_accounts",
"read_balances",
"read_transactions"
],
"locations": [
"https://example.com/accounts"
]
},
{
"type": "payment_initiation",
"actions": [
"initiate",
"status",
"cancel"
],
"locations": [
"https://example.com/payments"
],
"instructedAmount": {
"currency": "EUR",
"amount": "123.50"
},
"creditorName": "Merchant123",
"creditorAccount": {
"iban": "DE02100100109307118603"
},
"remittanceInformationUnstructured": "Ref Number Merchant"
}
]

26. JUNE 2021
User-Managed
Access
● OAuth enables constrained delegation
of access to apps on request​
○ Alice can agree to app connections and
also revoke them​
● UMA adds control of cross-party
sharing, letting Alice be absent when
Bob uses a client to attempt access​
● Alice controls trust between resource
hosts and authorization services –
enabling a wide ecosystem of resource
hosts, so Alice can manage sharing
across them​
● UMA can be combined with
XACML and OPA

27. JUNE 2021
Relationship-based sharing use case
King Arthur uses Scroll
OnlineTM to share data on
the Grail
Lancelot is a freelance
knight mercenary
King A. hires Lancelot
Lancelot tries to access
Grail data
Arthur shares a subset
of data with Lancelot A & L fight over
Guinevere
Arthur unshares all data
from Lancelot in one step
Scroll Online sharing
ends and Arthur can
prove it to Merlin
Lancelot gets access to
sensitive Grail data

28. JUNE 2021
Identity-centric AuthZ Limitations
● OAuth and all its derivatives attempt to address authorization by starting from a
user’s identity
● This is in line with RBAC’s philosophy...
● In these cases
○ The authorization cannot use relationships
○ The authorization is easier to manage and audit
○ The authorization is generally static
○ The authorization is generally defined at birth time (when the user is created)
○ You rely on the application code to address the shortcomings of the authorization framework
● OAuth 2.0’s Rich Authorization Requests aims to tackle fine-grained authorization
but…
○ It focuses on the request / response only
○ It does not address the implementation / definition aspect of the authorization

29. JUNE 2021

30. JUNE 2021

31. JUNE 2021
Knights of the Authorization Round Table
Identify your
requirements:
I want to build an app to
browse bank accounts
and make transfers
Identify your authZ
requirements:
A user can view their own
accounts. A user can
transfer up to $500.
Identify the
attributes:
account owner, balance...
Implement your
policies:
In ALFA, XACML, OPA...
Design & deploy
your architecture:
Decide what enforcement
you will use and where
Audit:
What did happen? What
could happen?

32. JUNE 2021
ABAC
ABAC defines:
● A policy-based model (e.g. XACML,
,ALFA OPA)
● Attributes (essentially key-value pairs
that can describe who, what, where,
when, why, and how)
● An architecture for decision-making
and enforcement
● A request-response pattern
● A pattern to fetch additional attributes
(XACML & ALFA only)
ABAC is a logical access control
methodology where authorization to
perform a set of operations is determined
by evaluating attributes associated with
the subject, object, requested operations,
and, in some cases, environment
conditions against policy, rules, or
relationships that describe the allowable
operations for a given set of attributes.

33. JUNE 2021
Architecture
● PEP: Policy Enforcement Point
This is how applications are integrated
into the ABAC architecture. Example
PEPs include API gateways,
annotations, and proxies
● PDP: Policy Decision Point (the
“engine”)
The PDP evaluates policies and
generates decisions
● PIP: Policy Information Point
PIPs allow the PDP to query data
sources for attribute values
● PAP: Policy Administration Point

34. JUNE 2021
XACML
● Established in 2001 alongside SAML, current version ratified in 2013
● Part of the OASIS WS-* group of standards
● Delivers attribute-based access control
○ Follows the same architecture
● Many open-source and commercial implementations
● General purpose authorization
○ API authorization
○ Application
○ Data stores
● Flexible policy structure
○ PolicySet, Policy, Rule
● Enforcement ecosystem
○ Open-source SDKs for Java, .NET, Javascript…
○ Commercial integrations for APIs, SQL databases, COTS...

35. JUNE 2021
I'm not
dead!
I'm
getting
better
Bring
out yer
dead
Here’s
one!
The Internet XACML
The Analyst

36. JUNE 2021
ALFA (the better XACML)
● Same architecture and principles
● A much simpler syntax
○ Sayonara XML
○ Developer-friendly
● IDE plugin for Eclipse → translates on-the-fly to XACML
namespace example{
policy article{
target clause itemType=="article"
apply firstApplicable
rule editArticle{
target clause actionId == "edit" and
userRole == "editor"
permit
condition userId == owner
}
}
}

37. JUNE 2021
NGAC
● ANSI/INCITS standard
● Includes a model, architecture and interface
● NGAC follows the same architecture as ABAC and XACML
● NGAC is graph-based rather than policy-based
○ Define relations between objects
○ A “user” has a relation to an “item”
○ Relations can have conditions on them
● Types of objects:
○ resource objects, and data elements and relations used to express access control policies.
● Types of operations:
○ resource operations (e.g., read, write), and administrative operations for configuring data elements
and relations.
● Functions for:
○ trapping and enforcing policy on access requests, computing decisions to accommodate or reject
those requests based on the current state of the data elements and relations, and automatically
altering access state when specified events occur.

38. JUNE 2021
Open Policy Agent (OPA)
● Developer-first
● Graduated from CNCF incubator in February 2021
● OPA is an open source, general-purpose policy engine that enables unified, context-aware
policy enforcement across the entire stack
● Use cases
○ configuration authorization (such as Kubernetes admission control)
○ API authorization
● Integrates with
○ Kubernetes,
○ Envoy,
○ CoreDNS…
● Use Rego (based on Datalog) as its policy language
● OPA generalized the sidecar pattern for the “PDP”

39. JUNE 2021
Key Differences between XACML / ALFA and
OPA
● Attribute value retrieval
○ The XACML architecture includes a PIP to retrieve attribute values
○ OPA expects all values to come into the request (though newer versions do include a
REST callout)
● Policy Structure
○ XACML is tree-structured and can be any-depth
○ OPA is generally a flat structure
● Request / Response
○ XACML’s request / response has a schema that needs to be followed (either XML or
JSON) → a set of key-value pairs grouped into categories
○ OPA’s format is a simple list of key-value pairs (JSON)
● Room for an OPA profile of XACML?

40. JUNE 2021
Mix & Match
Infrastructure (Kubernetes…)
App
API
OPA
PDP
ALFA
REGO
Governance Layer?
PIP:
UMA
Consent
OAuth
AS
OAuth RAR

41. JUNE 2021
The challenge with ABAC
● Where and how do you enforce?
○ OPA solves this by providing an entire ecosystem to choose from and contribute to
● Where do you get the information from?
● What about performance?
● Is everything really centralized?
○ Choose a PDP deployment that makes sense (centralized, decentralized, sidecar…)
● How do you audit?
○ What happened?
○ What can happen?
● How do you ask open-ended questions?
○ Axiomatics’ Reverse Query for XACML
○ Open Policy Agent’s Partial Evaluation
● Bottom line:
○ Standards are a great first step. However, there are gaps in the authorization lifecycle
that vendors aim to address in their own proprietary ways.

42. JUNE 2021
Tying OAuth with ABACpick your flavor
Application
(Client)
User
(Resource Owner)
Authorization
Server (AS)
Resource Server
(RS)
Policy Enforcement
(PEP) Point
Policy Enforcement
(PEP) Point
Policy Decision
Point (PDP)
Can it be used to
provision dynamically
generated claims?
Use the traditional
ABAC architecture to
enforce at runtime
1. Authorization request
3. Authorization grant
2. Authorization grant
4. Access token
5. Access token

43. JUNE 2021
OAuth, RAR, and ABAC
Application
(Client)
Authorization
Server (AS)
Resource Server
(RS)
Policy Enforcement
(PEP) Point
Policy Decision
Point (PDP)
Relay the RAR to the
PDP
3. Authorization grant
4. Access token
5. Access token

44. JUNE 2021
A European Swallow or an African Swallow?
Zanzibar

45. JUNE 2021
In comes Google’s Zanzibar
● Zanzibar stores access control lists (ACLs) & runs authorization checks based on them
● Zanzibar uses
○ Namespaces e.g. “videos”,
○ relations e.g. “viewer”, that link objects to usersets
○ usersets e.g. “Alice” or “group 1”, and
○ Relation tuples
● ACLs: collections of object-user or objectobject relations represented as relation tuples.
○ Simple ACL: “user U has relation R to object O”.
○ Complex ACL: “set of users S has relation R to object O”,
■ where S is itself specified in terms of another object-relation pair.
○ ACLs can thus refer to other ACLs
● Zanzibar is mostly about user-driven and user-defined authorization
○ This is different from the approach ABAC as a whole (OPA, XACML) takes
○ Strong focus on privacy, distribution, and consistency
● Companies like Authzed are adapting Zanzibar to address ABAC-like requirements.
● Usenix ATC 2019 presentation: Slides | Video | Paper

46. JUNE 2021
Catching up with my
neighbor (the graficionado)
● Can GraphQL be used to express
authorization?
● 2 nodes and a link
○ An actor
○ A resource
○ The link is qualified with an
action
○ The link can have conditions
● Can the native tools GraphQL has
be used to compute authorization
decisions?
● Is IRM a thing?

47. JUNE 2021
My favorite color is red… no blue
(aka I’m still confused)
● The authorization world is growing: the # of new startups is a homage to its
vibrance
● XACML’s XML syntax is dead, XACML isn’t
○ XACML, ALFA, and OPA are essentially variations of the same model, ABAC
● Graph-based approaches such as Nulli’s or Authzed (based on Zanzibar) are
worth keeping an eye on
● Application and infrastructure vendors (Azure, AWS, SaaS, app frameworks)
will keep offering their own approach
○ AWS’s IAM is a great example of ABAC using tags and policies (attached
to users, objects)
● What matters is the ability to easily author, manage, and audit your policies

48. JUNE 2021
The AuthZ Grail
● Developer-minded
● Relevant
● Business-oriented
● Audit-enabled
● Lifecycle & Governance
Authorization
Authorization

49. JUNE 2021
Justin Richer
Independent
consultant
Thanks to these helpful knights
Gal Helemski Co-
founder PlainID
Amit Kanfer
Co-Founder &
CEO -
build.security
Jacob Moshenko
Co-Founder -
Authzed
Srijith Nair
Chief Strategy
Officer -
Axiomatics
Prabath
Siriwardena -
Deputy CTO
WSO2
Sulay Shah
Product Mgmt,
IAM - AWS
Ward
Duchamps,
CEO
Scaled
Access

50. JUNE 2021
Additional reading
● Authorization, What Are My Options?
● Open Policy Agent - A comparison
● Authorization Made Simple: Using ALFA, REST, and JSON to Secure Applications
● UMA 101 - Understanding User-Managed Access
● Monty Python and the Holy Grail on Netflix
● Zanzibar: Google’s Consistent, Global Authorization System
● Tutorial: A Beginner’s Guide to XACML (Part 2) Getting Started with ALFA

51. JUNE 2021
What... is your
favorite
authorization
standard?