Coarse-grained and fine-grained authorization are similar to classic and quantum physics in many ways. One studies the larger objects and the other deals with subatomic particles. With what scientists know today, you can imagine how difficult it would be if you tried studying subatomic particles’ properties while applying the classical physics theories. When dealing with subatomic particles the rules are different beyond classical physics assumptions—you need a different system for studying related problems and developing solutions. For fine-grained authorization, this is the lesson that many organizations are learning.
Applying typical coarse-grained authorization methodologies such as RBAC (Role-based Access Control) can take you only so far in controlling access. RBAC falls short of addressing fine-grained authorization at runtime. That is why we have ABAC (Attribute-based Access Control), XACML (Extensible Access Control Markup Language), and EAM (Externalized Authorization Management) tools. These tools cannot be effective without good governance and a well-establish foundation to address dependencies such as having the required business rules and attributes. Fine-grained authorization is complex but making steady progress slowly similar to quantum physics. For some practitioners, the progress is not fast enough. The expectation of having a magical tool to short-cut the solution to fine-grained authorization problems just isn’t realistic.
It is imperative that IAM program management, architects, developers, auditors, and vendors recognize the inherent challenges. That is critical to establishing an environment that supports the steady progress to implement fine-grained authorization. One key starting point is maturing policy management practices with appropriate metrics. That includes organizing policy authoring, expression, storage, maintenance, distribution and provisioning in the relevant authorization domains.
If you are interested, our recent report A Systematic and Practical Approach to Optimizing Authorization Architecture  describes how to establish a foundation that supports sustainable improvement and adoption of fine-grained authorization across an organization. Future reports will expand on different use cases and how to address them. As always we like to hear about your experience and perspective as you enhance your authorization systems.
 Gartner for Technical Professional subscription is required for access to the research report
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.