Overview#Adaptive Policy-based Access Management (APAM) is a Policy Based Management System for Access Control where Policies are applied at runtime to make Authorization decisions based on context in the broadest sense. RBAC (Role Based Access Control), ABAC (Attribute Based Access Control), Dynamic Authorization Management (DAM) and standards such as XACML. Other terms such as Risk Based Access Control (RiskBAC) have been introduced more recently.
Quite frequently, there has been a debate between RBAC and ABAC, as to whether attributes should or must replace roles. However, most RBAC approaches in practice rely on more than purely role (i.e. on other attributes), while roles are a common attribute in ABAC. In practice, it is not RBAC vs. ABAC, but rather a sort of continuum.
Some years ago, I introduced the term "Dynamic Authorization Management” for what some vendors called "Entitlement Management", while others used the term of "Policy Management". This has been about the contrast of doing authorizations based on statically defined entitlements (such as in system that rely on ACLs, i.e. Access Control List, e.g. Windows Server) and authorization decisions made at runtime based on policies and context information such as the user, his roles, etc. – in fact a number of attributes.
Even longer ago, the term PBAC had been introduced, With the A in PBAC standing for “admission”, because PBAC was a standard introduced at the network level.
However, you could also argue that systems such as the SAP ERP systems or Windows File Servers do authorizations dynamically, for instance in Windows by comparing ACLs with SIDs contained in the Kerberos token. Nevertheless, the entitlements are set statically. Admittedly, after various discussions with end users, the term “dynamic” appears to not be clear enough for distinguishing various approaches.
While common, static approaches at best translate policies in static entitlements, this step is lacking in what I now will call Adaptive Policy-based Access Management (APAM). And that is what really makes the difference: Policies, applied at runtime to make decisions based on context in the broadest sense. Whether these are roles, IP addresses, claims, or whatever – this is the essence of the entire discussion that we have seen going on for years now.
- APAM by default is a security service, i.e. externalizes security from the applications (theoretically, such a concept might be implemented into applications, but there is little sense in doing so).
- APAM will automatically reflect policy changes. Policies,
- APAM when implemented right, can be expressed in a business-friendly notation.
- APAM is adaptive, e.g. it takes the context into account.
More Information#There might be more information for this subject on one of the following:
- Access Control Models
- Adaptive Risk
- Entitlement Example
- User and Entity Behavior Analytics
- [#1] - Adaptive Policy-based Access Management (APAM): The Future of Authentication and Authorization - based on information obtained 2015-10-10