Introduction to PingAuthorize
PingAuthorize is a solution for fine-grained, attribute-based access control and dynamic authorization management.
Digital transactions worldwide are increasing at exponential rates. At the heart of every transaction are questions of authorization:
-
Can a given user perform this action or access this resource?
-
How much data can a given partner access?
With more sophisticated use cases and more regulations for sensitive data, the rules that guide these questions of authorization get more complex. For example, a user can only transfer funds if their account is in good standing and they’ve agreed to the terms of service, or a partner can only access user data for those users who have given explicit consent.
Using traditional, static authorization solutions, like role-based access control (RBAC), to address complex authorization requirements lacks the full transaction context available only with dynamic, runtime authorization. PingAuthorize dynamic authorization can evaluate any identity attributes, consents, entitlements, resources, or contexts to make attribute-based access control (ABAC) decisions in real time. PingAuthorize gives you centralized control over your digital transactions and application-level access to your protected resource.
The following components provide the main capabilities for PingAuthorize.
PingAuthorize Policy Editor
- Policy Administration and Delegation
-
PingAuthorize Policy Editor enables nontechnical stakeholders to collaborate with IT and application developers to build and test authorization policies with a drag-and-drop UI. The editor supports fine-grained permissions and workflows to enable the right operational processes and delegated administration scenarios.
- Attribute Resolution and Orchestration
-
Authorization policies depend on any combination of attribute expressions that are evaluated at runtime by PingAuthorize Server. These attribute values might be present in the transaction itself, like an identifier of the authenticated user.
PingAuthorize Policy Editor enables additional attribute values to be determined at runtime by configuring attribute source and attribute processing without writing any code.
PingAuthorize Server
PingAuthorize Server includes the runtime policy decision service and multiple integration capabilities:
- Authorization Policy Decision APIs
-
Applications or services obtain policy decisions at runtime using a policy decision point (PDP) application programming interface (API). Applications then enforce these decisions in their own application or service code. This integration configuration is the most flexible, supporting any application or service use case.
- API Security Gateway and Sideband API
-
For fine-grained access control and data protection within application, platform, or microservice APIs, customers can integrate the API Security Gateway or Sideband API into their API architecture.
In this configuration, PingAuthorize Server inspects API requests and responses, and then enforces policy by blocking, filtering, obfuscating, or otherwise modifying request and response data and attributes. This approach requires little or no code changes by the API developer.
- SCIM Service
-
For fine-grained data access control and protection for structured datastore like Lightweight Directory Access Protocol (LDAP) and RDBMS, customers can deploy the System for Cross-domain Identity Management (SCIM) service in front of their datastores.
In this configuration, PingAuthorize Server provides SCIM-based APIs through which clients create, read, update, and delete (CRUD) data. The SCIM service enforces policy by blocking, filtering, obfuscating, or otherwise modifying data and attributes.
The available enforcement features described above vary depending on your subscription. For more information, check your PingAuthorize license key or contact your Ping Identity account representative. |
Get started
To quickly spin up a PingAuthorize solution and walk through some simple use cases, see Getting started with PingAuthorize (tutorials).