Skip to main content
Version: 1.16

Introduction

Access Decision Service (ADS) is a service that provides externalized dynamic attribute-based authorization decisions to Policy Enforcement Points (PEPs). The PEPs can obtain Permit/Deny decisions on access requests, using policies authored according to industry standards.

Access Decision Service is a standalone application. User access can be secured by TLS.

An open interface provides support for any type of attribute source, making it easy to adapt the service to diverse information architectures.

Standard attribute connectors with support for LDAP as well as SQL-based attribute sources are available as separate downloads.

Axiomatics Authorization system

Access Decision Service is included as a part of the Axiomatics® Authorization System product. This is a suite of components that are downloaded and installed separately, and then used together in combinations as needed, allowing for great flexibility of implementation. One such component of the Axiomatics Authorization System is the Axiomatics Services Manager (ASM), which is referenced in this guide as a source of domain configuration files.

The Axiomatics Authorization system is the industry-leading solution to control access to critical applications. Using externalized dynamic authorization, it provides an efficient policy engine, and the most complete solution available for enterprise-wide roll out of Policy and Attribute Based Access Control (PBAC and ABAC).

The Axiomatics Authorization system is a suite of components that includes:

Axiomatics Services Manager (ASM)

ASM is a web-based, multipurpose management interface within the Axiomatics Authorization system that provides key centralized functions for policies, domains, attribute definitions, and attribute sources.

Policy Designer

Policy Designer is a web application bundled with ASM that allows business and application owners to express simple policies in a natural language, removing the burden of learning a formal authorization language.

Authorization Domain Manager (ADM)

ADM is a content-management system, tailored for authorization domains. It is a service that stores and manages domains in a secure way, providing enterprise with fine-grained data access control.

ADM is suitable for deployment in microservices, cloud, or hybrid architectures.

Access Decision Service (ADS)

ADS is a cloud-native authorization engine, suitable for flexible deployment in microservices, cloud or hybrid architectures. In an externalized access control architecture, Access Decision Service corresponds to the Policy Decision Point (PDP).

ADS provides externalized dynamic attribute-based authorization decisions to Policy Enforcement Points (PEPs), providing a REST API in compliance with the XACML 3.0 standard. It runs as a service on the network, exposing a web service interface that can be secured by SSL/TLS.

Contextual Authorization Query (CAQ)

CAQ is a cloud-native service that evaluates reverse query requests. A reverse query response provides information on what conditions need to be satisfied to get an expected Policy Decision Point (PDP) decision.

APS Architecture

The components of the suite are downloaded and installed separately, and then used together in combinations as needed, allowing for great flexibility of implementation.

About Access Decision Service

Access Decision Service (ADS) is a cloud-native authorization engine, suitable for flexible deployment in microservices, cloud or hybrid architectures. In an externalized access control architecture, Access Decision Service corresponds to the Policy Decision Point (PDP).

ADS provides externalized dynamic attribute-based authorization decisions to Policy Enforcement Points (PEPs), providing a REST API in compliance with the XACML 3.0 standard. It runs as a service on the network, exposing a web service interface that can be secured by SSL/TLS.

Access Decision Service is a standalone application, run from the command line. It can be deployed and configured independently of any management software, which means that the application can more easily be run independently or at scale.

Organizations can work directly with the authorization engine instead of having to go through management software and also more easily use the same tools and deployment strategies that they use for other software.

An open interface provides support for any type of attribute source, making it easy to adapt the service to diverse information architectures.

Policy Enforcement Point (PEP)

The authorization engine, in this case ADS, works in conjunction with the PEP, which is the component that enforces the access control decisions made by an authorization engine.

The PEP intercepts actions in the system it protects and sends a corresponding authorization request to ADS. This prompts ADS to evaluate the requests against applicable policies to determine whether access should be granted or not, that is, ADS will access the authorization configuration and available attribute sources (this can be anything from an LDAP, active directory, a database, identity attributes, etc.) and apply the policies. As a result of this evaluation, ADS provides the PEP with a permit/deny decision, after which the PEP takes action to enforce the decision mandated by the authorization engine.

Users of Axiomatics Authorization System have access to SDKs that simplify the implementation of PEPs in different environments.

Notices

AXIOMATICS® is a registered trademark of Axiomatics AB, corporate identification no. 556708-1012, Sweden. Other trademarks are the property of their respective owners.

Except as otherwise expressly agreed in writing by Axiomatics AB, information in this document does not constitute in any way a representation, warranty or commitment on the part of Axiomatics.

Copyright © 2012-2024 Axiomatics AB. All Rights Reserved.