Overview#Entitlement Management System (EMS) is responsible for centrally managing, distributing and enforcing Authorization policies throughout the organization and beyond.
Role Based Access Control (RBAC) system to an Attribute Based Access Control (ABAC) system is possible once the Identity Management is in place. Having an API Security Service is also helpful when deploying ABAC.
Role Based Access Control has limitations when used for large scale API infrastructures in that operations are often hard to map against roles. This can lead to role explosion, and becomes increasingly hard to maintain over time. The logic necessary to implement proper authorization rules becomes intricate and hard to test. ABAC addresses these problems by generalizing the authorization decision and by allowing Authorization policies to be written and maintained out of band.
Entitlement Management System contains the following components:
- A Policy Decision Point (PDP) - Responsible for making an authorization decision.
- A Policy Enforcement Point (PEP) - Responsible for enforcing the decision from the Policy Decision Point.
- A Policy Information Point (PIP) - Responsible for enriching the authorization request with additional information on demand.
- A Policy Administration Point (PAP)- Responsible for administrating Authorization policies
- A Policy Retrieval Point (PRP)- Responsible for distributing Authorization policies to Policy Decision Points
- Open Policy Agent
- Abbreviated Language For Authorization (ALFA)
- eXtensible Access Control Markup Language (XACML)