The Rock Solid Knowledge Enforcer Authorization Engine
Enforcer is an authorization engine from Rock Solid Knowledge. It is based around the concept of Attribute Based Access Control (ABAC) where information about a subject (typically a user), a resource they are wishing to access and the general environment (e.g. time of day) is used to decide whether the intended action can proceed. It is very flexible for modelling access control rules and allows the whole access control policy can be defined in one place.
Prior to ABAC, Role Base Access Control (RBAC) was the most common model (and is often still used today). Here the user has a number of roles, and membership of those roles defines whether they can perform an action on a resource. However, RBAC has always struggled with more complex rules: e.g. I can perform my co-worker's actions while they are on holiday but not when they are at work. For more complex rules, RBAC has to rely on those rules being encoded in application logic. Suddenly, our authorization policy is defined in two, or more, places. This is an issue for a number of reasons:
- We need developers to implement changes to some aspects of the policy. This will require a software release, with the associated change control complexities. It is not an easy task to get changes into production at short notice.
- It is difficult to test that all of our intended rules are encoded correctly across the roles and application code.
- Audit of the access control rules in action requires the auditor to understand the application code (or take developers' word that the rules are correct).
The policy model that Enforcer uses is based on, OASIS industry standard, XACML (Extensible Access Control Markup Language). However, XACML is an XML dialect and is neither easy to read nor author. Enforcer, therefore, favors policy documents to be written in another proposed standard, called ALFA (Abbreviated Language for Authorization). ALFA is human readable and writable but is still based on the same underlying structure of describing policy that XACML uses. This structure has been tried and tested for nearly 20 years.
Finally, Enforcer has a number of extensibility points to allow organisations to precisely model their environment and access control rules as they see fit.