In a series of customer conversations over the last few weeks, there seems to be two schools of thought around externalized authorization. I covered this in some detail in To Cache or Not to Cache. I have a little more perspective on the "To Cache" approach.
The reality is that today most applications cannot externalize their authorization decisions to a 3rd party/centralized authority. They can externalize their group memberships to LDAP, but the core entitlements are baked into the application either in the form of code or in some application database tables. So give this reality, which of the two approaches - build a centralized service and get people to modify their applications to call your service or manage entitlements centrally and push them to the existing application stores is going to be easier for applications to adopt?
To be clear, there is no issue with either approach from either an architectural or Oracle product perspective. Both are fine. I think the bigger issue is why applications have to have their own entitlements store to begin with? I think one answer is that their is no standard mechanism for externalization.
But Josh, isn't that what XACML is for? Yes, but as we've discussed in this blog, WebServices security and interoperability is not as simple as having a standard. Also, the thought of having to make a SOAP call for every authorization request could present some performance challenges.
My hope is that OpenAz (which is introduces a Java runtime binding on-top of XACML) will drive more packaged applications to look at externalization. The Java binding is easy to write to and doesn't necessarily assume that the service is a remote SOAP endpoint. The OpenAz policy decision implementation, by default could just look into the application database tables. This allows large enterprises that have multiple packaged applications to swap out application specific look ups into a centrally managed authorization model. This would benfit firms greatly, as having centralized management of entitlements can greatly simplify compliance and audit reporting.
Though we're just getting started with OpenAz, but its re-assuring to talk to customers and receive validation of the problem that we're looking to address.
Tuesday, September 29, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.