- Can business managers (who should determine how access controls would be implemented) define and modify different authorization logic?
- Can we find new IT technicians to manage these legacy systems? Especially when those who developed the system have left the organization?
- Can different authorization logic be modified without any source code changes in a dynamic way?
- Is authorization system capable of evaluating following rule? “X resource can be accessed by the Users who are from example.com domain and whose age is greater than 21 years old”
- If we are going to implement a new information system with the organization, can we re-use the authorization logic of a legacy system?
- Can we achieve a fine-grained authorization level without defining a large number of static combinations?
- Are the authorization systems capable of answering the questions such as: “Can a user, BobAlex, transfer X amount from Y current account at 1.00pm?“
As an example, let's look at a
Target element. In XACML 2.0, we have an
AND relationship between foo1 and foo2 resources and an
OR relationship between bar1 and bar2 actions. However, we cannot create an
OR relationship between a foo1 resource and bar1 action. so we cannot define something such as “Target would be matched when Bob Alex can access the foo resource or do a bar action” by using the
XACML 3.0 has an
AND relationship between “foo” resource and “bar1″ role and an
OR relationship between “bar2″ action. So we can define something as “Target would be matched, when Bob Alex can access foo resource and do bar1 action or do bar2 action”.
This is also a new profile that comes with XACML 3.0. This allows you to define policies about who can write policies about what. For example, “Bob “Alex may issue a policy but only about resources in department X”.