Overview#
Entitlement Management System (EMS) is responsible for centrally managing, distributing and enforcing Authorization policies throughout the organization and beyond.Authorization is inherently difficult to centralize. The Entitlement Management System makes it possible to make authorization decisions on different levels as the requests flow through the system.
Role Based Access Control (RBAC) system to an Attribute Based Access Control (ABAC) system is possible once the Identity Management is in place. Having an API Security Service is also helpful when deploying ABAC.
Role Based Access Control has limitations when used for large scale API infrastructures in that operations are often hard to map against roles. This can lead to role explosion, and becomes increasingly hard to maintain over time. The logic necessary to implement proper authorization rules becomes intricate and hard to test. ABAC addresses these problems by generalizing the authorization decision and by allowing Authorization policies to be written and maintained out of band.
Entitlement Management System contains the following components:
- A Policy Decision Point (PDP) - Responsible for making an authorization decision.
- A Policy Enforcement Point (PEP) - Responsible for enforcing the decision from the Policy Decision Point.
- A Policy Information Point (PIP) - Responsible for enriching the authorization request with additional information on demand.
- A Policy Administration Point (PAP)- Responsible for administrating Authorization policies
- A Policy Retrieval Point (PRP)- Responsible for distributing Authorization policies to Policy Decision Points
Some examples:
- Open Policy Agent
- Abbreviated Language For Authorization (ALFA)
- eXtensible Access Control Markup Language (XACML)
More Information#
There might be more information for this subject on one of the following:- [#1] - The Entitlement Management SystemContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2021-01-16