Category: Identity and Access Management

Technical blog posts on Identity & Access Management, federated identity, and all things authorization.

A man reading Dr Seuss's ABC in a field of flowers. Photo by JOSHUA COLEMAN on Unsplash
Identity and Access Management

Playing with ChatGPT: if Dr. Seuss wrote about ABAC

This morning, I woke up, got breakfast ready for my three-year-old, sat down at my desk and wondered: “what if Dr. Seuss had written about ABAC?” Don’t ask me why… Maybe because I’d been reading I Am Not Going to Get Up Today! to my kid the night before. Who knows? Oh, and if you’re wondering what ABAC is, it’s attribute-based access control. Fortunately, we live in a day and age where ChatGPT can pretty much fulfill our wildest dreams and so, without further ado, here’s what ChatGPT thinks Dr. Seuss would have said about ABAC: In a world of data and access control so tight,There’s a method that shines with a brilliant light.ABAC, my dear friend, is its clever […]

Eltz Castle, Wierschem, Germany
Identity and Access Management

What is Policy-Based Access Control?

TL;DR; Policy-based access control (PBAC) and attribute-based access control (ABAC) are exactly the same thing. They enable fine-grained access control or authorization. Lately, customers have been asking me about the difference between externalized authorization, attribute-based access control (ABAC), and policy-based access control (PBAC). These are in fact all different ways of describing roughly the same thing: a better approach to tackling fine-grained authorization challenges in a way that is technology-neutral, i.e. that can be reused for APIs, data, and more. Both ALFA, the abbreviated language for authorization, and XACML are the OASIS standard implementations for ABAC.

Photo by Matt Artz on Unsplash
Identity and Access Management

The state of the Union of Authorization

This post was originally published on Identiverse’s blog following the 2018 edition of their conference. Background A few weeks ago, I had the pleasure to talk at the European Identity Conference on a topic that is close to my heart: authorization. More specifically, I discussed how the evolving IT landscape requires an even finer grained authorization framework to be able to deliver value to consumers as a whole. In a later session, I took part in a panel entitled “How will Authorization Look in the Future? XACML, OAuth, Proprietary” with Loren Russon (Ping Identity), Pam Dingle (Microsoft) and Eve Maler (ForgeRock). The bulk of the debate centered around standards and in particular the battle XACML vs. OAuth (and to a […]

A computer showing source code - Photo by Clément H on Unsplash
Java, XACML Bites

Use JAXB and Ant to generate Java POJOs for XACML 1.1, XACML 2.0, and XACML 3.0 policies

In a previous blog post, I mentioned that I was working on a conversion script for a client to migrate XACML 1.1 policies to XACML 3.0. There are several ways this could be achieved. Here are the ways I have thought of: Use XSLT to convert from the XACML 1.1 schema to the XACML 3.0 schema. This is possibly a purist’s way of approaching this. However support for XSLT has not always been great and it requires a lot of XML, XPath, and XSLT know-how. Use the Java DOM model to parse XACML 1.1 XML and create XACML 3.0 XML. Use JAXB to generate POJOs (plain old Java objects) that represent XACML 1.1 and XACML 3.0. I chose the latter […]