3

I'm wondering how large companies with tens / hundred of applications are handling access-rights for their users. From what I've seen, it's a nightmare that never ends, and it requires full-time resources for a poor result.

I'm not looking for specific examples of IAM solutions, but more generally, what are the different options for doing that, from defining the roles and accesses to implementing, modifying and reviewing the privileges on the systems.

Also, are home-made solutions with connectors to all the applications used in the real world, or would that just be another pain in the neck to develop and maintain ?

ack__
  • 2,728
  • 14
  • 25

1 Answers1

2

Larger enterprises go through centralized initiatives led by the infrastructure team - the very same team that typically manages authentication. To make sure the access rights management works and scales correctly, many turn to standard architectures such as the one pue forward in XACML and older specifications.

This architecture defines the notion of:

  • policy enforcement points (PEP) responsible for protecting your app. These could be web access management gateways, API gateways, and more.
  • a central policy decision point (PDP) which processes authorization requests and produces an authorization decision
  • a central policy administration point (PAP) used to define and manage authorization policies.

To learn more I would recommend you turn to the NIST reports on RBAC and especially ABAC:

I also recently gave a presentation on externalized authorization management at the Cloud Identity Summit. You can download the slides here.

HTH, David.

David Brossard
  • 1,360
  • 7
  • 16
  • Thank you for this helpful answer. Would you have other readings recommendations ? I found NIST interesting but clearly too much theoretical, what I'm looking for is real-world implementations in environments with loooots of apps running, and you have usually lost control over who can access what, why and how. – ack__ Jul 25 '14 at 14:41
  • Have a look at this webinar - it might help - https://www.linkedin.com/groups/Webinar-CSS-Insurance-Swiss-insurance-3934718.S.222028864 – David Brossard Jul 25 '14 at 18:08
  • Here is another interesting link: http://www.slideshare.net/nordicapis/authorization-the-missing-piece-of-the-puzzle – David Brossard Jul 26 '14 at 21:17