Overview#

Access Control Engine

Access Control Engine BeyondCorp#

Access Control Engine is a centralized Policy Enforcement Point service referenced by each Access Proxy that provides a binary authorization decision based on the Access Control Policy, output of the Trust Inferer, the resources requested, and real-time credentials.

Access Control Engine is within the Access Proxy provides service-level authorization to enterprise applications on a per-request basis. The authorization decision makes assertions about the user, the groups to which the user belongs, the device certificate, and artifacts of the device from the Device Inventory Service.

If necessary, the Access Control Engine can also enforce Geolocation Access Control. The inferred Trust Tier in the Digital Identity and the device is also included in the authorization decision.

For example, access to Google’s bug tracking system can be restricted to full-time engineers using an engineering device. Access to a financial application can be restricted to fulltime and part-time employees in the financial operations group using managed non-engineering devices.

Access Control Engine can also restrict parts of an application in different ways. For example, viewing an entry in our bug tracking system might require less strict access control than updating or searching the same bug tracking system.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 30-Jul-2017 11:49 by jim