PingAuthorize is a solution for fine-grained, attribute-based access control and dynamic authorization management.
Digital transactions worldwide are increasing at exponential rates. At the heart of every transaction are questions of authorization:
- Can a given user perform this action or access this resource?
- How much data can a given partner access?
With more sophisticated use cases and more regulations for sensitive data, the rules that guide these questions of authorization get more complex. For example, a user can only transfer funds if their account is in good standing and they've agreed to the terms of service, or a partner can only access user data for those users who have given explicit consent.
Using traditional, static authorization solutions, like role-based access control (RBAC),
to address complex authorization requirements lacks the full transaction context available
only with dynamic, runtime authorization. PingAuthorize dynamic authorization can evaluate any identity
The following components provide the main capabilities for PingAuthorize.
PingAuthorize Policy Editor
- Policy Administration and Delegation
- PingAuthorize Policy Editor enables nontechnical stakeholders to collaborate with IT and application developers to build and test authorization policies with a drag-and-drop UI. The editor supports fine-grained permissions and workflows to enable the right operational processes and delegated administration scenarios.
- Attribute Resolution and Orchestration
- Authorization policies depend on any combination of attribute expressions that are evaluated at
runtime by PingAuthorize Server. These
attribute values might be present in the transaction itself, like an identifier of
the authenticated user.
PingAuthorize Policy Editor enables additional attribute values to be determined at runtime by configuring
attribute sourcesand attribute processing without writing any code. attribute source Specific database or directory location containing data needed by an IdP to fulfill a connection partner's attribute contract or by an SP to look up additional attributes to fulfill an adapter contract.
PingAuthorize Server includes the runtime policy decision service and multiple integration capabilities:
- Authorization Policy Decision APIs
- Applications or services obtain policy decisions at runtime using a policy
decision point (PDP)
API. Applications then enforce these decisions in their own application or service code. This integration configuration is the most flexible, supporting any application or service use case. application programming interface (API) A specification of interactions available for building software to access an application or service.
- API Security Gateway and Sideband API
- For fine-grained access control and data protection within application, platform,
or microservice APIs, customers can integrate the API Security Gateway or Sideband
API into their API architecture.
In this configuration, PingAuthorize Server inspects API requests and responses, and then enforces policy by blocking, filtering, obfuscating, or otherwise modifying request and response data and attributes. This approach requires little or no code changes by the API developer.
- SCIM Service
- For fine-grained data access control and protection for structured
datastoreslike datastore A database or directory location containing user account records and associated user attributes. LDAPand RDBMS, customers can deploy the LDAP (Lightweight Directory Access Protocol) An open, cross platform protocol used for interacting with directory services. System for Cross-domain Identity Management (SCIM)service in front of their datastores. System for Cross-domain Identity Management (SCIM) SCIM An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.
In this configuration, PingAuthorize Server provides SCIM-based APIs through which clients create, read, update, and delete (CRUD) data. The SCIM service enforces policy by blocking, filtering, obfuscating, or otherwise modifying data and attributes.
The available enforcement features described above vary depending on your subscription. For more information, check your PingAuthorize license key or contact your Ping Identity account representative.
To quickly spin up a PingAuthorize solution and walk through some simple use cases, see Getting started with PingAuthorize (tutorials).