<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([EMS]) is responsible for centrally managing, distributing and enforcing [Authorization policies|Authorization Policy] throughout the organization and beyond.

[Authorization] is inherently difficult to centralize. The [{$pagename}] makes it possible to make [authorization] decisions on different levels as the requests flow through the system.

[Role Based Access Control] ([RBAC]) system to an [Attribute Based Access Control] ([ABAC]) system is possible once the [Identity Management] is in place. Having an API Security Service is also helpful when deploying [ABAC].

[Role Based Access Control] has limitations when used for large scale [API] infrastructures in that operations are often hard to map against roles. This can lead to role explosion, and becomes increasingly hard to maintain over time. The logic necessary to implement proper authorization rules becomes intricate and hard to test. [ABAC] addresses these problems by generalizing the [authorization] decision and by allowing [Authorization policies|Authorization Policy] to be written and maintained out of band.

[{$pagename}] contains the following components:
* A [Policy Decision Point] ([PDP]) - [Responsible] for making an [authorization] decision.
* A [Policy Enforcement Point] ([PEP]) - [Responsible] for enforcing the decision from the [Policy Decision Point].
* A [Policy Information Point] ([PIP]) - [Responsible] for enriching the [authorization] request with additional information on demand.
* A [Policy Administration Point] ([PAP])- [Responsible] for administrating [Authorization policies|Authorization Policy]
* A [Policy Retrieval Point] ([PRP])- [Responsible] for distributing [Authorization policies|Authorization Policy] to [Policy Decision Points]

Some [examples]:

* [Open Policy Agent]
* [Abbreviated Language For Authorization] ([ALFA])
* [eXtensible Access Control Markup Language] ([XACML])

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] - [The Entitlement Management System|https://curity.io/resources/architect/neo-security/entitlement-management-system/|target='_blank'] - based on information obtained 2021-01-16 






























</pre>