PingAuthorize is a solution for fine-grained, dynamic authorization.
Digital transactions worldwide are increasing at exponential rates. At the heart of every transaction are questions of authorization:
- Can a given user perform this action or access this resource?
- How much data can a given partner access?
With more sophisticated use cases and more regulations for sensitive data, the rules that guide these questions of authorization get more complex. For example, a user can only transfer funds if their account is in good standing and they've agreed to the terms of service, or a partner can only access user data for those users who have given explicit consent.
Using traditional, static authorization solutions, like role-based access control (RBAC), to address complex authorization requirements lacks the full transaction context available only with dynamic, runtime authorization. PingAuthorize dynamic authorization can evaluate any identity attribute, consent, entitlement, resource, or context to make attribute-based access control (ABAC) decisions in real time. PingAuthorize gives you centralized control over your digital transactions and application access to data.
The following components provide the main capabilities for PingAuthorize.
PingAuthorize Policy Editor
- Policy Administration and Delegation
- PingAuthorize Policy Editor enables nontechnical stakeholders to collaborate with IT and application developers to build and test authorization policies with a drag-and-drop UI. The editor supports fine-grained permissions and workflows to enable the right operational processes and delegated administration scenarios.
- Attribute Resolution and Orchestration
- Authorization policies depend on any combination of attribute expressions that
are evaluated at runtime by PingAuthorize
Server. These attribute values might be present in the transaction itself, like an
identifier of the authenticated
PingAuthorize Policy Editor enables additional attribute values to be determined at runtime by configuring attribute sources and attribute processing without writing any code.
PingAuthorize Server includes the runtime policy decision service and multiple integration capabilities:
- Authorization Policy Decision APIs
- Applications or services obtain policy decisions at runtime using a policy decision point (PDP) API. Applications then enforce the decision in their own application or service code. This integration configuration is the most flexible, supporting any application or service use case.
- API Security Gateway and Sideband API
- For fine-grained access control and data protection within application, platform,
or microservice APIs, customers can integrate the API Security Gateway or Sideband
API into their API
In this configuration, PingAuthorize Server inspects API requests and responses, and then enforces policy by blocking, filtering, obfuscating, or otherwise modifying request and response data and attributes. This approach requires little or no code changes by the API developer.
- SCIM Service
- For fine-grained data access control and protection for structured data stores
like LDAP and RDBMS, customers can deploy the SCIM Service in front of their data
In this configuration, PingAuthorize Server provides SCIM-based APIs through which clients create, read, update, and delete (CRUD) data. The SCIM Service enforces policy by blocking, filtering, obfuscating, or otherwise modifying data and attributes.
The available enforcement features described above vary depending on your subscription. For more information, check your PingAuthorize license key or contact your Ping Identity account representative.
To quickly see PingAuthorize in action, see Getting started with PingAuthorize (tutorials).