Skip to main content
Version: 26.1

Introduction

The Authorization Hub is the central platform for managing Attribute-Based Access Control (ABAC) across your organization. It simplifies the creation, organization, and management of ABAC policies and enables consistent enforcement of zero-trust security principles throughout the organization.

Why ABAC?

Traditional role-based access control (RBAC) grants access based on a user's role alone. ABAC goes further as it factors in who is making the request, what they want to do, which resource they are targeting, and the context of the request (such as time of day, location, or device type).

This lets you express fine-grained policies that RBAC cannot, such as:

  • "A nurse can view a patient's records only during their assigned shift."
  • "A contractor can access project files only from a corporate device."
  • "A manager can approve expenses only for their own department."

Without ABAC, satisfying these rules requires creating an ever-growing number of roles, which becomes a maintenance burden that quickly becomes unmanageable.

How authorization works

ABAC operates across three distinct planes:

  • Control plane: Where you define, manage, and store policies, attributes, and attribute connectors.
  • Decision plane: Acts as the Policy Decision Point (PDP) and evaluates access requests against your policies. Fetches attribute values at runtime, checks them against the policy rules, and returns a permit or deny decision. Audit and access review reports are typically generated here via SIEM services.
  • Enforcement plane: Implemented by a Policy Enforcement Point (PEP) that acts on the PDP's decision, either allowing or blocking the requested action.

The Authorization Hub is the control plane that gives the PDP everything it needs to evaluate requests accurately and in real time.

Authorization policy lifecycle

Managing authorization is an ongoing cycle. The Authorization Hub fits into the following workflow:

  1. Define requirements: Write authorization requirements in plain English and track them with your preferred tools.
  2. Identify attributes: Define the attributes that describe users, resources, actions, and context. Map them to their data sources, such as user directories (LDAP), databases (SQL), APIs, and so on.
  3. Author policies: Write policies in the ALFA language using the built-in editor or your IDE.
  4. Test: Use Axiomatics Policy DevOpsOpens in a new tab to verify behavior, catch errors, and confirm policies work consistently across environments.
  5. Deploy: Bundle policies, attributes, and attribute connectors into a domain that the PDP can fetch and apply to access requests.
  6. Audit and review: Use your SIEM to analyze the access audit trail and Policy insights to generate access review reports, such as "What can Alice do?" or "Who can access application X?".
info

The Authorization Hub currently covers steps 2, 3, 5 and partially 6 while steps 1 and 4 use external tooling.

ALFA language

ALFA (Abbreviated Language for Authorization) is a domain-specific language for writing authorization policies. Its syntax resembles Java and C#, making it familiar to most developers. The main concept for all policies written in ALFA is permit and deny which is close to a natural language thinking process. Policies nest hierarchically, which keeps large policy sets organized and makes evaluation efficient. Read the ALFA documentationOpens in a new tab to learn more.

Featured content

Notices

AXIOMATICS® is a registered trademark of Axiomatics AB, corporate identification no. 556708-1012, Sweden. Other trademarks are the property of their respective owners.

Except as otherwise expressly agreed in writing by Axiomatics AB, information in this document does not constitute in any way a representation, warranty or commitment on the part of Axiomatics.