Are there best practices for using authorization policy servers with Apigee Edge API proxies?

Does your company or enterprise have an external or self-standing authorization policy server? (this is sometimes called a "XACML" server, but I don't want to limit my question to those who use XACML specifically)

The products I am thinking of are those like IBM Tivoli Security Policy Manager, or Axiomatics Policy Server, Jericho Systems' product, or Oracle’s (BEA’s) Entitlements Server. (I think all of those use XACML). Microsoft has a policy server that does not use XACML, called AzMan.

Do you have one of these in your enterprise?

Do you integrate it with Apigee Edge? If so how? (I'm imagining a typical usage to be: an API proxy in Edge calls out into the policy server via a network interface). What are the common adoption patterns?

If you do not use a policy server with Apigee Edge, why not? How do you answer the question "should the API Proxy allow this call to go through?" ?

Also, aside from whether you use a policy server within Apigee Edge or not, if you have a policy server, is your enterprise continuing to invest in the external authorization server for other systems? Is usage increasing or decreasing?

I'd love to hear what other people are doing. I'd love to gain some insight.

I can think of one reason why you WOULD want to use a policy server: stricter control of who can do what.

I can think big a big reason why you WOULD NOT want to use one: it's too complicated.

I'd like to hear some other views though.

I'm thinking Apigee Edge BaaS would be an easy way to store authorization rules. It would basically follow the XACML model, where you have {subject, object, action} tuples, and a YES or NO decision for each tuple.

The subject would be a "role" probably. The objects would be uuids for the various backend systems or resources. and the ACTION could be PUT/POST/GET/DELETE or CRUD if you like. simple, easy.

The role would be something that is asserted by the IdP at the time the user is authenticated. Or in the absence of user authentication, the role might be "anonymous".

One could imagine including the user identity AND the client identity into the role.

At runtime, Edge would query BaaS and get the answer for the particular subject + action+ object .

Would this work.?

1 2 5,185
2 REPLIES 2

@Dino

Hi Dino,

The term XACML was pretty new to me and while searching on net, I found some useful information.

Is XACML similar to RBAC model?

In out project, we give access to user using RBAC model. We have created seperate templates (these templates have permission).

Can you please let me know why do we need Authorization policy server with some example so that I can understand it better?

Not applicable

I would think that scopes on an oAuth token would be sufficient to determine if the subject had authorization to perform action on object.

We currently put scopes on the products and then check for those scopes in the api code to make the decision.