This creates a need for runtime authorization, where authorization decisions are made in real-time when the user is accessing an application or data. By evaluating the decision at runtime, when an increased amount of information about the user and their actions is available, it allows more fine-grained decisions to be made. Because of this, runtime authorization has become a focal point for developing the next generation of identity-centric access controls. This includes both human and non-human use cases, which can support the high volume and velocity of access to modern apps, computing units, data objects, and underlying networks.
Runtime authorization systems require an architectural view of the end-to-end access path. This path spans from the authenticated subject of the target object, considering all tiers, intended actions and computing environment requirements. Each authorization control in this path requires a set of policy management capabilities to define and maintain what policies should be enforced, while also supporting runtime services to evaluate and enforce the policies in real time.