Skip to main content

The most recent patch for this version is 26.1.3.  Learn more  

Version: 26.1

Introduction to Access Decision Service

Access Decision Service (ADS) is a cloud-native authorization engine designed for flexible deployment across microservices, cloud, or hybrid architectures. In an externalized access control architecture, ADS functions as the Policy Decision Point (PDP). It delivers dynamic, attribute-based authorization decisions to Policy Enforcement Points (PEPs) through a REST API, adhering to the XACML 3.0 standard.

When a PEP intercepts a system action, it sends a corresponding authorization request to ADS. ADS then evaluates this request against applicable policies, accessing its authorization configuration and various attribute sources, which can include LDAP, Active Directory, databases, or identity attributes. Based on this evaluation, ADS delivers a clear permit/deny decision back to the PEP, which then enforces the mandated access control.

ADS operates as a network service, offering a web service interface that can be secured using SSL/TLS. As a standalone application, ADS runs from the command line, allowing for independent deployment and configuration without reliance on external management software. This autonomy enables direct interaction with the authorization engine, facilitating the use of existing tools and deployment strategies consistent with other software. Additionally, ADS's open interface supports diverse attribute sources, making it easily adaptable to various information architectures.

Contextual Authorization Query functionality

Additionally, ADS offers Contextual Authorization Query (CAQ) functionality to perform reverse queries. A reverse query is a question that seeks to identify the authorization access requests that would be evaluated by the PDP to a given PDP decision (Permit, Deny, Not Applicable or Indeterminate). A PDP evaluates access requests against authorization policies.

A reverse query response provides information on what conditions need to be satisfied to get an expected decision. Such a process can then be used to answer questions like “Is there a request that evaluates to Deny?” or “Can one ever get an Indeterminate response from the PDP?”. In addition, reverse queries can determine some attribute values in order to get a sub-set of the conditions that need to be met for a decision. In this way, a reverse query can be used to answer questions like “Which documents can be accessed by employees working in the Sales department?” or “Can user Alice access any document from the Sales Department with security classification ‘Confidential’?”.

Reverse queries are a powerful tool, not only for analyzing policies but, more significantly, for speeding up multiple access requests.

Available modes

ADS can run in different modes, exposing authorization (ADS) and/or evaluation (CAQ) APIs depending on the selected configuration. The available modes are:

  • ADS: The core service without CAQ.
  • ADS with CAQ: The core service with the CAQ functionality combined.
  • CAQ only: A specialized deployment of the CAQ functionality alone.

You can choose between the base ADS platform, the enhanced ADS with CAQ, or a dedicated CAQ only solution.

Axiomatics Authorization system

Access Decision Service (ADS) is a core component of the Axiomatics Authorization system. This comprehensive suite comprises separately downloaded and installed components that are utilized in combination as required.

The Axiomatics Authorization system is the industry-leading solution for controlling access to critical applications. By leveraging externalized dynamic authorization, it offers an efficient policy engine and the most complete solution available for enterprise-wide implementation of Policy and Attribute-Based Access Control (PBAC and ABAC).

Axiomatics Authorization system components

The Axiomatics Authorization system is a suite of components that, apart from ADS, includes:

  • Axiomatics Services Manager (ASM)

    ASM is a web-based, multipurpose management interface within the Axiomatics Authorization system that provides key centralized functions for policies, domains, attribute definitions, and attribute sources.

  • Authorization Domain Manager (ADM)

    ADM is a content-management system, tailored for authorization domains. It is a service that stores and manages domains in a secure way, providing enterprise with fine-grained data access control.

    ADM is suitable for deployment in microservices, cloud, or hybrid architectures.

  • Axiomatics Policy DevOps (APD)

    APD is a tool for developing, testing, and deploying ALFA policies and attribute connectors within your Attribute-Based Access Control (ABAC) environment. Built on Gradle and JUnit, it allows for a comprehensive testing approach that includes unit, integration, and system tests.

Featured content

Notices

AXIOMATICS® is a registered trademark of Axiomatics AB, corporate identification no. 556708-1012, Sweden. Other trademarks are the property of their respective owners.

Except as otherwise expressly agreed in writing by Axiomatics AB, information in this document does not constitute in any way a representation, warranty or commitment on the part of Axiomatics.