Search This Blog

Sunday, April 13, 2008

Building an Entitlements Management Solution

What does it take to build an Entitlements Management solution? That
depends on who you ask of course. However, when I look at commercial
products in this area I see certain common architectural patterns.
Many of the products that I've seen make use of a set of common elements
defined by the OASIS XACML standard (Extensible Access Control Markup
Language). The [referenced] picture shows the typical components of an
Entitlements Management solution. The XACML spec defines the role of
the Policy Administration Point (PAP), the Policy Decision Point (PDP),
the Policy Enforcement Point (PEP), and the Policy Information Points
(PIP). The Policy Administration Point (PAP) manages the creation and
storage of policy data in the Policy Store. The administrator interacts
with the PAP (typically) through a browser based management console
where roles, policies, resources, actions and so forth are defined and
managed. The policy store may be an LDAP directory or a database. The
PAP may also provide facilities for policy import and export. Most
products provide some management APIs that allow customers to embed
administrative functionality into their own applications. Runtime role
or authorization decisions are determine at the Policy Decision Points.
Typically I've seen two ways that PDPs are deployed: (1) As a
centralized entitlements server that can be invoked by remote clients
via RMI, Web Service calls or using the XACML 2.0 request/response
protocol. (2) As an embedded PDP deployed in same process space as
the application. The most common examples are PDPs embedded in a JVM
for plain Java applications or embedded in an application server for
J2EE applications... The PDPs can be configured to get data from one
or more Policy Information Points (PIPs). These PIPs can be user or
application directories or databases that contain information that
is required to make an access decision. Such information includes
user, group, and resource attributes (e.g. user profile information,
account balances and limits, etc.). These attributes can then be
used in the policies which control access...

No comments: