Representing and Managing Authorization Policies

As we'll see in Chapter 18, policies play an important role in building an identity infrastructure, because they help define the context within which systems are built and operated. However, merely writing a policy does not ensure that it's correctly promulgated and implemented throughout the IT infrastructure.

For example, in the State of Utah, there are over 1,000 separate systems, not including desktop computers, that are affected by IT policies created by the CIO's office. What's more, several hundred people administer these systems. In this situation, there is little hope that any policy made will be consistently executed on these many disparate systems.

This problem plagues large enterprises. Access-control policies are written in English and then implemented on dozens or even hundreds of different systems individually. Each of these systems has a proprietary configuration language. Compounding the problem, policies change frequently. Every time the access control policy is changed, the entire configuration has to be redone. Only a hopeless optimist would believe that this job is done correctly.

Figure 11-7 shows how a policy server might solve this problem. In the figure, the policy is translated to some machine language and placed on the policy server where it can be sent directly to the various systems in the enterprise. As we discussed in Chapter 3, current state of the art in policy languages is a far cry from the ideal situation ...

Get Digital Identity now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.