Access control involves enabling an authority to control access to application resources in a computer system. Access control includes authentication, authorization, and auditing. Authentication involves determining whether a user can log in to a computer system. Authorization involves determining which application resources a user can access once logged in to a computer system, and what is the user's level of access for each application resource. Auditing involves recording important events for future analysis.
In general, computer systems involve many different applications. Each application has its own entitlements (i.e., sets of privileges that govern what a user is authorized to access). Thus, a key component of authorization is managing security for each application. With respect to authorization, there is a wide range of authorization levels, ranging from coarse-grained authorization to fine-grained authorization. Coarse-grained authorization is a simple mechanism to manage whether a user has the necessary permission to access a particular application, such as whether the user is a member of a particular group. In contrast, fine-grained authorization is a more precise mechanism to manage whether a user has the necessary permission to perform a certain action, on a resource of an application. Because fine-grained authorization is more precise than coarse-grained authorization, fine-grained authorization has more context than coarse-grained authorization. Context is defined as attributes of a subject, resource, action, or environment, that can be relevant in making a fine-grained authorization decision. With the increased complexity of today's computer systems, fine-grained authorization is generally becoming the norm in enterprise applications.
In general, a user accesses an application's presentation tier via a web server. Behind the web server, generally, is an application server which manages the application. While web-based authorization policies are typically configured outside of the application server, many application-based authorization policies are “hard-coded” into the application logic itself. An approach where application logic makes authorization decisions generally means that the authorization decisions are not centrally managed, governed, or controlled by a security team that is separate from the application. Furthermore, runtime authorization decisions are rarely audited by the application. In today's enterprise application environment, this approach is no longer feasible. Laws like Sarbanes-Oxley mandate documented controls on who can access information systems that affect the finances of publicly held companies. Healthcare and privacy laws have also placed stricter requirements on access to application resources and auditing of that access. A rapid rise in the outsourcing of application development, had led to a result where authorization logic hard-coded in the application is no longer directly controlled by the enterprise. Thus, changes in the regulatory and development environments has mandated a change in how application-level authorization is managed.