Data Entitlement in an API-Centric

Architecture

04/02/2015

Nuwan Bandara

Senior Technical Lead

Entitlement in general

John doe need to reed web page

John authenticates with the system

System checks John’s role and associated permissions

If allowed john is presented with the page

traditional

application

authenticate

authorize

access

API Centric Entitlements

John doe need to reed resource foo

John authenticates with the system

System checks John’s role and associated permissions

If allowed john is presented with the resource

API Gateway

authenticate

authorize

access

Common Aspects of the typical use case

Involvement of a actor (john)

Involvement of a resource (page / data)

Use of permissions

Use of an attribute (role)

Involvement of an action (READ)

Entitlement complexities

Complex rules

Too many combinations

Over time maintenance nightmare (a role per user / too many granular permissions)

Too many changes (governance nightmare)

Application centric

Who should provide entitlements

Traditional design

Where does the rules exist ?

At the application layer ?

At the API layer ?

At the data access layer ?

application API gateway data services

Modern entitlement design principals

Re-usability

Application / API neutral

Loosely coupled to the underline system

Centrally manageable

performance

Data entitlement at the data access layer

Challengers

Externalized entitlement engines are often seen as an unnecessary task and an overhead

Needs fresh thinking and often re-writing the applications / APIs in a permission agnostic

manner

Must be standards driven

Need to optimize for performance

Benefits

Benefits are more long term

Helps organizations adapt to changing business needs, and data security requirements

easier

Centralized management of platform level policies

Ideal for heterogeneous systems – Unified access model to entitlements data

Service mindset – everything is a service, including entitlements

Entitlements at the API Layer

application api gateway

entitlement

engine

data services

authenticate

authorize

data access

Whats new in entitlement with regard to APIs

APIs has define interactions (GET/PUT/POST/DELETE etc)

APIs has token based authentication

APIs has associated concepts (throttling / billing )

APIs are typically centrally managed

Entitlement patterns for API architectures

Attribute based access control

User Doe can READ resource Foo

Policy based access control

User Doe can READ resource Foo only 10 time per day

Entitlement policies and decision engines

XACML is the standard for policy based

entitlement

XACML provides the rich entitlement

rule authoring capability

XACML policies are evaluated on a

decision engine

XAML has a defined sequence in

integration to applications and APIs

PEP / PDP / PAP / PIP

Putting it all together

API gateway flow for authorization

Sample policy

Summary

Data entitlement is central to an API architecture

Entitlement rules needs to be loosely coupled to the API runtime

Entitlement engine has to be capable to evaluating granular rules

Data access has to be controlled via an entitlement engine as the permutation and

combinations for data access can grow massively over time

Thank You