Authorization for Everything

This blog post was first published @, included here with permission.

Smart contextual & conditional authorization lowers barriers enabling friction-less user on-boarding, more intuitive user journeys and ultimately increases your return on identity, right at the heart of your digital transformation strategy.
Moving beyond web and mobile application security, for any object, any action, any context, authorization shall be described. It’s ForgeRock’s identity platform that does provide you the framework. It provides you Authorization for Everything.

The model, principals and functionality can be applied to any business, so as an example, I describe authorization for an “ordinary” object, a family household. It is composed of the family members and family members and household appliances. Bob stores wine in his wine cabinet, not only for consumption, but also for investments. Inventory is thus a crucial as Bob wants to know the current value of his investments. Other “critical” resources are the screens. For the home cinema, we can image specific actions like turn on and off as well as broadcasting screen or camera. Not all family member should have the same permissions to these resources.


Authorization Management

The HomeCinema policy contains resources, actions, subjects and conditions. The whole Smith family is allowed to turn on and off the home cinema between 16h00 and 19h00. Bob should add a policy that allows him to operate the home cinema after 19h00 and broadcast the camera with his remote friends when football is on. Here’s how it looks in the OpenAM administration interface :

Any kind of resource with any kind of action can be described in the authorization framework, be it real estate, contracts, online media, etc. It a later post I shall describe how this can be done via API (REST), so that policy creation could be part of the resource or device registration process handled by application above the identity platform.


Policy Evaluation

Policy evaluation for a given resource and subject can be done via API. The policy enforcement point (which could be the home cinema itself but also a mobile app) requests a policy decision via REST. The user must be authenticated in some form prior to this request. The user’s SSO token is then added to the policy evaluation request.
Request URL:

“application”: “SmartHome”,
“resource”: “tv://myhouse/homecinema”,
“subject”: {


[ {
“advices” : { },
“ttl” : 9223372036854775807,
“resource” : “tv://myhouse/homecinema”,
“actions” : {
“DISABLE” : true,
“ENABLE” : true,
“attributes” : { }
} ]
The user is only allow to turn the home cinema on and off, not to broadcast screen or camera. Any objects, actions, subjects, context and conditions can be described in the identity platform. Unlocking the authorization asset on top of your customer view enables an even more personalized experience.

If you want to look at the details of the policy evaluation request and how it fits in the authorization framework, check the openam-high5 GitHub project. In particular the 654-authz-evaluate-policy-tv or 655-authz-evaluate-policy-door  scripts.