At the core of NextLabs’ solutions is our patented dynamic authorization technology based on Attribute Based Access Control or ABAC. Dynamic authorization is a technology in which authorization and access rights to an organization’s network, applications, data or other sensitive assets are granted dynamically in real-time using attribute-based rules and policies.
In ABAC solutions, attributes are characteristics about the user, the data or the environment, such as group, department, employee status, citizenship, position, device type, IP address, or any other factors which could affect the authorization outcome. Access decisions are based on this information. They consider the person, the action they want to perform, and the resource they want to access.
With traditional Role-Based Access Control (RBAC) or list-based authorization systems, administrators need to constantly monitor and reassess changes in user status, reassign and revoke roles, or even monitor and reassign permissions on individual files or records. A dynamic authorization system based on ABAC, on the other hand, evaluates user, resource, and environment attributes against centrally managed rules and policies at runtime. This means access is determined based on the latest user status, current set of data classifications and relationships, and information about the current environment. Organizations that utilize ABAC can make smarter decisions based on real-time information.
The applications and data users can access, the transactions they can submit, and the operations users can perform automatically change based on these contextual factors. For example, a user that is reassigned to a different project can automatically access information related to the new project but no longer access information related to their previous assignment. An account executive that is reassigned to a new territory is automatically able to see accounts and products in their new territory, but they are no longer able to access anything from their old territory. ABAC systems automatically account for situational changes.
Attributes can be sourced from the protected applications and systems, and can also be retrieved from any other data source – employee information from an internal HR system, customer information from Salesforce.com, databases, LDAP servers, and even from a business partner for federated identities.