Slide 1

Slide 1 text

Data Entitlement in an API-Centric Architecture 04/02/2015 Nuwan Bandara Senior Technical Lead

Slide 2

Slide 2 text

Entitlement in general John doe need to reed web page John authenticates with the system System checks John’s role and associated permissions If allowed john is presented with the page traditional application authenticate authorize access

Slide 3

Slide 3 text

API Centric Entitlements John doe need to reed resource foo John authenticates with the system System checks John’s role and associated permissions If allowed john is presented with the resource API Gateway authenticate authorize access

Slide 4

Slide 4 text

Common Aspects of the typical use case Involvement of a actor (john) Involvement of a resource (page / data) Use of permissions Use of an attribute (role) Involvement of an action (READ)

Slide 5

Slide 5 text

Entitlement complexities Complex rules Too many combinations Over time maintenance nightmare (a role per user / too many granular permissions) Too many changes (governance nightmare) Application centric

Slide 6

Slide 6 text

Who should provide entitlements Classic Use Case Access to ALL sales data Sales Managers Sales Database Sales T eam A DB Sales T eam B Whoshould provide Entitlements? Access to only sales data> belonging to> specific sales> group Application Y Application X

Slide 7

Slide 7 text

Traditional design Entitlements Repo Presentation Data exchange (1) (2) (6) (3) Request for permitted> access Data Access Layer Query Data Responsewith Fil ter MetaFdata (5) (4) Authori zed Items Reques t for da ta Fil tered Data Entitlements System Business Application

Slide 8

Slide 8 text

Where does the rules exist ? At the application layer ? At the API layer ? At the data access layer ? application API gateway data services

Slide 9

Slide 9 text

Modern entitlement design principals Re-usability Application / API neutral Loosely coupled to the underline system Centrally manageable performance

Slide 10

Slide 10 text

Data entitlement at the data access layer Conceptual SOA driven Data Entitlements Query- Based on User attribute- (i.e. Role) User Group A Request Entitlements Store Response User Group B Request for FilteredData Response Application B Data Service Application A Entitlements Service Data- Access- Service Filter Builder

Slide 11

Slide 11 text

Challengers Externalized entitlement engines are often seen as an unnecessary task and an overhead Needs fresh thinking and often re-writing the applications / APIs in a permission agnostic manner Must be standards driven Need to optimize for performance

Slide 12

Slide 12 text

Benefits Benefits are more long term Helps organizations adapt to changing business needs, and data security requirements easier Centralized management of platform level policies Ideal for heterogeneous systems – Unified access model to entitlements data Service mindset – everything is a service, including entitlements

Slide 13

Slide 13 text

Entitlements at the API Layer application api gateway entitlement engine data services authenticate authorize data access

Slide 14

Slide 14 text

Whats new in entitlement with regard to APIs APIs has define interactions (GET/PUT/POST/DELETE etc) APIs has token based authentication APIs has associated concepts (throttling / billing ) APIs are typically centrally managed

Slide 15

Slide 15 text

Entitlement patterns for API architectures Attribute based access control User Doe can READ resource Foo Policy based access control User Doe can READ resource Foo only 10 time per day

Slide 16

Slide 16 text

Entitlement policies and decision engines XACML is the standard for policy based entitlement XACML provides the rich entitlement rule authoring capability XACML policies are evaluated on a decision engine XAML has a defined sequence in integration to applications and APIs PEP / PDP / PAP / PIP Data service Requester PEP (Policy Enforce. Point) XACML Request XACML Response Manage XAML Policy (Policy Retrieval Point – PRP) Policy Store Attribute Store PIPB(PolicyB InformationB Point) PDPB(Policy DecisionBPoint) PAPB(PolicyB AdministrationB Point)

Slide 17

Slide 17 text

Putting it all together Enterprise User Store DB XACML Policy Entitlements Mediator (2) XACML request (1) App A Request + wsse:UsernameT oken (3) XACML responseB with Advices getSalesInfo App B (4) Build dynamic query Using advices (claims) fault Response (5) getSalesInfo + entitlements based filtering (7) Sales Datastore (6) Filtered Response App X DB PEP Dynamic Query DSS PAP PIP PDP IS

Slide 18

Slide 18 text

API gateway flow for authorization Entitlements Y es Permit? Query No Return Fault Send Response Call Data Service Build Dynamic Extract Claims Call Mediator Authenticate User

Slide 19

Slide 19 text

Sample policy ator AttributeId="http://wso2.org/claims/rol :xacml:1.0:subject-category:access-subject" 2001/XMLSchema#string" MustBePresent="true"> n> ="Rule1"> e" uteDesignator> In this exampleweareenforcingthat3 employeerole(a PIPentry)is3 embeddedon to theXACMLresponse XACMLPolicyrulesetgoes3 here(omitted)

Slide 20

Slide 20 text

Summary Data entitlement is central to an API architecture Entitlement rules needs to be loosely coupled to the API runtime Entitlement engine has to be capable to evaluating granular rules Data access has to be controlled via an entitlement engine as the permutation and combinations for data access can grow massively over time

Slide 21

Slide 21 text

Thank You