The Symplified Blog

The Duality of Access Control Technologies

I’m in LA this week for the 2013 Gartner IAM Summit, and I’m hearing a lot of talk about IAM solutions that, on the surface, sound like they do the same thing, but upon closer look I know they don’t. In the identity management market, many products claim to provide access control and authorization, each taking different approaches to achieve them.  This leads to confusion about what the products are actually capable of, and whether they enable a secure and compliant enterprise architecture.

One of the biggest areas of confusion is around the difference between governance (defining access policies) and enforcement (enforcing those policies at runtime).

In controlling access to a protected online resource, such as an online collaboration portal, a few key steps are involved. The identity standards community – XACML, specifically – has created an authorization model that defines a few roles which are very useful in describing the way access policies are created and enforced:

Policy Administration Point (PAP) – The place where the code is implemented where authorization policies are created and managed.

Policy Decision Point (PDP) – The place where policies are evaluated and access decisions are made at runtime.

Policy Enforcement Point (PEP) – The place where the access decisions are enforced.

Duality Diagram

Adding to this complexity, the roles of PAP, PDP and PEP are implemented by different parts of your enterprise architecture in different scenarios, but typically within your applications. For example, most web applications enforce policies by performing all three of these roles within the server-side components of their applications. In this model, the application itself provides an interface via which an administrator sets the permissions for what individual users are allowed to do within that application.  At runtime, the application itself decides whether to allow a user to access a resource (PDP) and enforces that decision (PEP) by either returning or denying access to the requested resource. This model of application development had been the predominant approach for some time, but new approaches have emerged as enterprises have recognized the need to centralize this processing for a variety of reasons.

Multiple enterprise applications now leverage a centralized enterprise directory of users (usually Active Directory) rather than manage users and their roles within each application. In this scenario, PAP becomes the Active Directory management console where users are managed and their roles are defined.  The application looks up these values at runtime, decides whether to allow the user to access resources based on role memberships and other data stored in AD (PDP), and then provides the access based on the result of that policy decision (PEP).

In the more comprehensive approaches to centralizing this behavior, all three of these roles – PAP, PDP and PEP – are implemented and enforced by one enterprise system. Web Access Management (WAM) products are good examples of this approach. In this model, WAM systems integrate with protected resources in such a way that they can intercept a request before the protected resource ever sees it – either by integrating a WAM agent with the protected resource or putting a WAM proxy ‘in front of’ the protected resource. In this scenario, the WAM system is used to define the policies (PAP), evaluate policies at runtime (PEP), and enforce them (PDP).

It’s advantageous for enterprises to centralize the control of these functions for a variety of reasons – risk management and compliance, enhanced user experience, and better security developed by experts rather than in-house application developers, to name a few.  As enterprises centralize control of what their users do within their applications it is important to know the roles these different products play.

If what you need is something that will create user accounts in existing applications with the appropriate roles, where those applications have not provided the ability to externalize access control processing, then a governance or provisioning-oriented solution may well suit your needs.

However if you are building your own enterprise applications and want to have centralized user management, access management, and auditability of those applications an enforcement-oriented solution like a WAM system is more appropriate for your needs. It will provide an environment where application developers are able to focus on writing application code – instead of identity/security — and empower the enterprise IT group with control and visibility into those applications.


Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Resources & Downloads View All »

Single Sign-On (SSO) Buyers Guide

How is your enterprise managing the need for secure single sign-on across cloud applications and mobile devices? Download a Free copy of Symplified's Buyer's Guide to Single Sign-On (SSO).


Forrester Research – The Forrester Wave™: Enterprise Cloud Identity and Access Management

Download a FREE copy of The Forrester Wave™: Enterprise Cloud Identity and Access Management (IAM), Q3 2012.


Forrester Research – “Build an Identity and Access Management Strategy”

Download a FREE copy of this recent Forrester Research report to use as a roadmap for delivering security, productivity and cost savings with IAM.