data entitlement in an api-centric architecture
TRANSCRIPT
Entitlement in general
John doe need to reed web page
John authenticates with the system
System checks John’s role and associated permissions
If allowed john is presented with the page
traditional
application
authenticate
authorize
access
API Centric Entitlements
John doe need to reed resource foo
John authenticates with the system
System checks John’s role and associated permissions
If allowed john is presented with the resource
API Gateway
authenticate
authorize
access
Common Aspects of the typical use case
Involvement of a actor (john)
Involvement of a resource (page / data)
Use of permissions
Use of an attribute (role)
Involvement of an action (READ)
Entitlement complexities
Complex rules
Too many combinations
Over time maintenance nightmare (a role per user / too many granular permissions)
Too many changes (governance nightmare)
Application centric
Where does the rules exist ?
At the application layer ?
At the API layer ?
At the data access layer ?
application API gateway data services
Modern entitlement design principals
Re-usability
Application / API neutral
Loosely coupled to the underline system
Centrally manageable
performance
Challengers
Externalized entitlement engines are often seen as an unnecessary task and an overhead
Needs fresh thinking and often re-writing the applications / APIs in a permission agnostic
manner
Must be standards driven
Need to optimize for performance
Benefits
Benefits are more long term
Helps organizations adapt to changing business needs, and data security requirements
easier
Centralized management of platform level policies
Ideal for heterogeneous systems – Unified access model to entitlements data
Service mindset – everything is a service, including entitlements
Entitlements at the API Layer
application api gateway
entitlement
engine
data services
authenticate
authorize
data access
Whats new in entitlement with regard to APIs
APIs has define interactions (GET/PUT/POST/DELETE etc)
APIs has token based authentication
APIs has associated concepts (throttling / billing )
APIs are typically centrally managed
Entitlement patterns for API architectures
Attribute based access control
User Doe can READ resource Foo
Policy based access control
User Doe can READ resource Foo only 10 time per day
Entitlement policies and decision engines
XACML is the standard for policy based
entitlement
XACML provides the rich entitlement
rule authoring capability
XACML policies are evaluated on a
decision engine
XAML has a defined sequence in
integration to applications and APIs
PEP / PDP / PAP / PIP
Summary
Data entitlement is central to an API architecture
Entitlement rules needs to be loosely coupled to the API runtime
Entitlement engine has to be capable to evaluating granular rules
Data access has to be controlled via an entitlement engine as the permutation and
combinations for data access can grow massively over time