OM-BP-0022: Centralize authorization management outside applications (Best Practice)

Best Practice

Centralize authorization management outside applications.

Rationale

The key drivers for this architectural design is the high cost and complexity of development and maintenance of authorization logic, and the subsequent cost and difficulty for application owners to consistently manage authorizations in numerous heterogeneous applications.

Bad Practices

• Implement authorization logic within the application

• Develop a centralized authorization system with a proprietary protocol

Implementation Details

• Require support for OASIS XACML as part of SDLC

Quotes

Externalizing authorization from applications

Many applications today are written with authorization logic built proprietarily into the application. This logic, often driven by sustainable ACL and RBAC policy models, is often not reusable between applications. Development teams are forced to reinvent the wheel and spend measurable time maintaining business authorization rules, rather than focusing their efforts on core application development. Additionally, accurate reporting can be a time-consuming task when IT governance teams are tasked with tracking down exactly what access an entity has at any given time across several siloed applications. This becomes a nightmare in the event of a security breach. How quickly can you react and assess the scope of the breach?

By leveraging XACML, developers can remove the authorization logic from their applications. Policies are centrally managed and can be modified based on business needs at runtime without any changes to application code.

Number one is the goal to remove authorization processing from applications and implement it in a shared infrastructure service.

Bibliography

• Blain, 2011

• Gebel and Wang, 2010

Related Best Practices

N/A

See Also