This is an introductory article for those who are just diving into the problem of protecting enterprise applications and services. It explains the basic concepts related to access control, what is the access control, for which it is necessary, how it works.
Authentication — a process designed to verify the authenticity of the user. The user enters his own credentials, which only he owns, such as login and password.
Authorization — a process designed to make sure that the user able to perform a certain operation. For example, only the user with administrative rights has access to the system’s advanced functionality. Or clients users have access to their payments and balance.
What is Access Management?
For example, there is an application where users and services authenticated. Users and applications have different roles and functionality. Of course, users with different roles should not have access to all application functions. For example, in a blog application, regular users can create and edit their own posts, but can’t edit other user’s posts. Moderators can edit all posts and commentaries. Administrators can edit posts and manage users.
Managing users, their roles, functionality access policies, and access monitoring and audit is Access Management.
Access can be assigned in various ways:
- by a realm — realm is a user storage. For example, in telecom there are could be “clients” realm and “employees” realm. Employees can view all users in the “clients” realm, but users in the “clients” realm can’t do that.
- by a group — in the “clients” realm could be privileged users, who have access to privileged pricing plans.
- by authorization level — if the client was authenticated but did not confirm his phone number, he can’t use extended functionality.
Access management can be embedded in an application or be a standalone application. For example, WordrPess or Django framework has built-in access management. For Google applications, Access Management is a standalone application, also implements Single Sign-On (SSO).
Single Sign-On — is a technology, when a user authenticates only once and then uses an authenticated session to access all integrated with Single Sign-On system applications. One implementation of Single Sign-On is Kerberos. Once authenticated in Windows, the user can access all integrated applications without providing credentials. The other implementation is Google SSO. For example, once authenticated with a Gmail account, the user can access other Google services — Google Docs, Google Maps, and so on.
Do You Need a Standalone Access Control Solution?
If you have a monolithic application with a single user database, Access Control should be implemented in the application itself, so it is easier to develop and maintain. But if the application is complex or has microservice architecture and/or has rich functionality — different groups of users, roles, authorization levels, and user stored in multiple databases, it is better to use Access Control as a stand-alone application.