The – ABACUS: A New Approach to Authorization

From IIW

The_ABACUS: A New Approach to Authorization

Day/Session:Tuesday 5K

Convener:Jacob Siebach

Notes-taker(s): Jacob Siebach

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

We discussed a method of calculating attributes with no token passing, using request data and attributes.

The_ABACUS is a new type of authorization engine. It begins with a requirement of separation of duties: identification, authentication, and authorization are individually processed.

Policies for authorization exist in real life. If you walk up to someone and ask what the policy is for who can use their car, they'll probably say that they can use their own car, their spouse, their children under certain conditions, and explicitly authorized individuals. Computer systems have similar policies, but usually the policy is tied to the application code. The_ABACUS separates the policies from the authorization check, allowing the business owners to set the policies while the system developers only need to call The_ABACUS to find out if there is authorization.

The_ABACUS accepts requests from services, checks the associated policy, and returns "Permit" or "Deny". The engine is not susceptible to common compromising attacks, it does not have the difficulties of delegate confusion, is optimized for efficiency, can return several decisions in one request, and it allows for complex policies. Additionally, attributes can be updated in real-time with events that are pushed to AWS lambdas. This allows the engine to remain online without ever needing a redeployment while event consumer code can be updated as needed.