Coarse-grained vs. fine-grained access control – part I

A few weeks ago, Baljinder Wadhwa, a consultant at HP, started an interesting thread on coarse-grained vs. fine-grained access control trying to figure out what the differences were between the two. His question generated a high level of great answers that went in different directions. This post aims at summarizing those answers, bringing in my own view, and producing a structured answer to Baljinder’s question. Here goes… Vocabulary definition Coarse: (1) composed of relatively large parts or particles <coarse sand> (2) : loose or rough in texture <coarse cloth> Fine: (1) very thin in gauge or texture (2) : not coarse <fine sand> (3) : very small (4) : keen <a knife with a fine edge> (5) : very precise […]

Gluecon 2011 – Impressions of Day 1 – Waste Management Through Security Automation

Gluecon started off with an amazing video / presentation on a mind-nubbingly large screen. It felt like the Oscars of IT. After the usual round of intros led by Eric Norlin, we moved on to the core of the topic: APIs and all their applications today including, of course, within cloud. Chris Hoff of Cisco started with an analogy with toiletry / plumbing over the centuries pointing out that in the last 10 years, we had seen radical innovation in toilets, a millenium-old technology. Apply that to software dev and cloud, and we should see some serious innovation coming our way. (Side note: the indispensable toilet paper was not invented until quite a few centuries after toilets were. It makes […]

XACML 3.0 wins award at the European Identity Conference 2011 #EIC11

Today was a great day at EIC 2011 where Axiomatics is currently demoing its fine-grained authorization capabilities based on the latest version of the XACML standard, XACML 3.0. It ended with the usual ceremony awards where Tim Cole et al. handed out awards to various projects in the identity space (cloud security, IAM, entitlements management). A special award was handed to the XACML Technical Committee for its outstanding work on the latest version of XACML, XACML 3.0. Hal Lockart of Oracle and co-chair of the TC stepped up to accept the award and thanked the entire TC for a great group effort. He also thanked the editor of the XACML 3.0 specification, Erik Rissanen, CTO Axiomatics, for leading the effort […]

When OpenID meets XACML: externalize authentication and authorization from your business apps

Background About a year ago, a few months into my new job at Axiomatics, I pulled together a web-based app using J2EE (JSF, servlets, POJOs) and Icefaces (AJAXfied JSF) to illustrate fine-grained access control for web applications and portals. To secure the application, I used Tomcat’s authentication mechanism (its implementation of the HTTP FORM-based authentication protocol) and Axiomatics‘s off-the-shelf Authorization filter for servlets. What I then got – at zero development effort – was a sturdy, secure, finely-grained controlled web app where users could access certain pages and/or parts of pages based on the set of attributes a given user had potentially combined with attributes of the targeted resource (the page, the portlet, the individual GUI element of the page…), […]