Skip to main content

Dynamic Authorization

Dynamic Authorization with ABAC (Attribute Based Access Control)

At the core of NextLabs’ solutions is our patented dynamic authorization technology based on Attribute Based Access Control or ABAC. Dynamic authorization is a technology in which authorization and access rights to an organization’s network, applications, data or other sensitive assets are granted dynamically in real-time using attribute-based rules and policies.

In ABAC solutions, attributes are characteristics about the user, the data or the environment, such as group, department, employee status, citizenship, position, device type, IP address, or any other factors which could affect the authorization outcome. Access decisions are based on this information. They consider the person, the action they want to perform, and the resource they want to access.

With traditional Role-Based Access Control (RBAC) or list-based authorization systems, administrators need to constantly monitor and reassess changes in user status, reassign and revoke roles, or even monitor and reassign permissions on individual files or records. A dynamic authorization system based on ABAC, on the other hand, evaluates user, resource, and environment attributes against centrally managed rules and policies at runtime. This means access is determined based on the latest user status, current set of data classifications and relationships, and information about the current environment. Organizations that utilize ABAC can make smarter decisions based on real-time information.

The applications and data users can access, the transactions they can submit, and the operations users can perform automatically change based on these contextual factors. For example, a user that is reassigned to a different project can automatically access information related to the new project but no longer access information related to their previous assignment. An account executive that is reassigned to a new territory is automatically able to see accounts and products in their new territory, but they are no longer able to access anything from their old territory. ABAC systems automatically account for situational changes.

Attributes can be sourced from the protected applications and systems, and can also be retrieved from any other data source – employee information from an internal HR system, customer information from Salesforce.com, databases, LDAP servers, and even from a business partner for federated identities.

NextLabs' ABAC solution image

An ABAC dynamic authorization system significantly streamlines the management process. It removes the need to individually administer thousands or even hundreds of thousands of access control lists and/or role and role assignments on a daily basis.  And, organizations do not need to deploy expensive and complex identity governance solutions. With ABAC, hundreds of roles can be replaced by just a few policies. These policies are managed centrally across all sensitive applications and systems providing a single, consistent view of who can do what, and under what circumstances. Centralized management makes it easy to add or update policies and quickly deploy across the enterprise.

Authorization policies are managed externally from the protected application (Externalized Authorization Management), so they can be modified without requiring code changes or application downtime. This enables organizations to react quickly to business or regulatory requirements as they occur, greatly increasing agility and flexibility, and enhancing overall data protection. Dynamic Authorization with ABAC also provides central monitoring and tracking of user activity and data access providing compliance and security officers with insight into user behavior and suspicious activity.

In summary, Dynamic Authorization offers significant benefits over traditional access models:

  • vastly improved security
  • improved visibility and control
  • increased compliance
  • improved business agility
  • lower costs