Hi Michael,
You're right that ISAM has some capabilities around XACML and in fact, our Context Based Access capabilities are all based around the use of XACML and the broader capabilities under the covers. And these are utilized extensively by our customer base. I would still describe this use case as an "Authorization" use case, rather than "Authentication" - where the authentication capabilities are simply used to mitigate risk - as an "obligation" in XACML terms.
In terms of servicing generic XACML calls, we've made some enhancements to the XACML engine interface to allow for a number of customers who have been using TSPM, our historical XACML based centralised decision engine (PDP) to migrate their use cases to ISAM (TSPM has now gone end of support).
In short, if you're using ISAM today, and you have some needs for a generic decision engine, ISAM could meet your requirements and allow you to avoid purchasing an alternative (and often expensive) solution. In my experience, you will typically build your policy in combination with a data tier (DB or LDAP), and store significant portions of the relevant data in the accompanying PIPs - (mostly since XACML only scales so well in large quantities), using the XACML policies to build/map the data into Access Decisions. And you will need to configure/code/customise your enforcement points to call the XACML APIs - these are documented interfaces in our REST API documentation.
Strategically, we are focused on ensuring the CBA AZN engine evolves with our product, with 'ISAM' as the primary PEP. If your requirements have some alignment with that, then it can work nicely. If not, then your results may vary.
I hope this helps.
------------------------------
Philip Nye
IBM
Gold Coast
------------------------------
Original Message:
Sent: Sat June 15, 2019 06:59 AM
From: Michael Boey*****
Subject: ISAM as PDP for authorization decisions
Hi Community,
Is anyone (extensively) using ISAM as a PDP for authorization, not just authentication? Since ISAM supports XACML, theoretically it seems that it could be used as such.
We are looking into solutions which can aid in decoupling authorization from the business logic of an application. Typically an application executes a lot of authorization decisions internally (e.g. function X can only be called if user context shows that you have the admin role). Initiatives such as XACML and NGAC try to provide standardized protocols to externalize these authorization decisions.
However, since ISAM is mainly focused on authentication, I doubt that ISAM would be a good fit. Perhaps someone who has experimented with ISAM to externalize authorization decisions can prove me wrong?
Kind regards,
Michael
------------------------------
Michael
------------------------------