Blog post

Chasing the Long Tail of Fine-grained Authorization

By Homan Farahmand | February 09, 2016 | 0 Comments

Risk ManagementArchitectureAuthorizationCybersecurityIAM

Coarse-grained and fine-grained authorization are similar to classic and quantum physics in many ways. One studies the larger objects and the other deals with subatomic particles. With what scientists know today, you can imagine how difficult it would be if you tried studying subatomic particles’ properties while applying the classical physics theories. When dealing with subatomic particles the rules are different beyond classical physics assumptions—you need a different system for studying related problems and developing solutions. For fine-grained authorization, this is the lesson that many organizations are learning.

Applying typical coarse-grained authorization methodologies such as RBAC (Role-based Access Control) can take you only so far in controlling access. RBAC falls short of addressing fine-grained authorization at runtime. That is why we have ABAC (Attribute-based Access Control), XACML (Extensible Access Control Markup Language), and EAM (Externalized Authorization Management) tools. These tools cannot be effective without good governance and a well-establish foundation to address dependencies such as having the required business rules and attributes. Fine-grained authorization is complex but making steady progress slowly similar to quantum physics. For some practitioners, the progress is not fast enough. The expectation of having a magical tool to short-cut the solution to fine-grained authorization problems just isn’t realistic.

It is imperative that IAM program management, architects, developers, auditors, and vendors recognize the inherent challenges. That is critical to establishing an environment that supports the steady progress to implement fine-grained authorization. One key starting point is maturing policy management practices with appropriate metrics. That includes organizing policy authoring, expression, storage, maintenance, distribution and provisioning in the relevant authorization domains.

If you are interested, our recent report A Systematic and Practical Approach to Optimizing Authorization Architecture [1] describes how to establish a foundation that supports sustainable improvement and adoption of fine-grained authorization across an organization. Future reports will expand on different use cases and how to address them. As always we like to hear about your experience and perspective as you enhance your authorization systems.

[1] Gartner for Technical Professional subscription is required for access to the research report

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment