What is Access Management

Introduction

This is an introductory article for those who are just diving into the problem of protecting enterprise applications and services. It explains the basic concepts related to access control, what is the access control, for which it is necessary, how it works.

Basic Concepts

Authentication — a process designed to verify the authenticity of the user. The user enters his own credentials, which only he owns, such as login and password.

What is Access Management?

For example, there is an application where users and services authenticated. Users and applications have different roles and functionality. Of course, users with different roles should not have access to all application functions. For example, in a blog application, regular users can create and edit their own posts, but can’t edit other user’s posts. Moderators can edit all posts and commentaries. Administrators can edit posts and manage users.

  • by a group — in the “clients” realm could be privileged users, who have access to privileged pricing plans.
  • by authorization level — if the client was authenticated but did not confirm his phone number, he can’t use extended functionality.

Do You Need a Standalone Access Control Solution?

If you have a monolithic application with a single user database, Access Control should be implemented in the application itself, so it is easier to develop and maintain. But if the application is complex or has microservice architecture and/or has rich functionality — different groups of users, roles, authorization levels, and user stored in multiple databases, it is better to use Access Control as a stand-alone application.

Open Identity Community member, OSS Enthusiast