What are some of the well known products/services around Authorization (RBAC and ABAC) that implement standards like XACML?

Question

What are some of the well known products/services around Authorization (RBAC and ABAC) that implement standards like XACML?

• Our customers are organizations.
• Each organization would be given 3 default roles (after onboarding)
  • but also have the capability to create more roles
• Roles define level of access on the under lying resources (not just the API level (which is via scopes) but at the resource level)

Another use case is that of superuser who can act across organizations and perform any action.

Please share your thoughts on if these use cases can be solved (and the ease) in the product or service you recommend. thanks.

Answer 1

cdan is right. Start with the Wikipedia page for XACML (and the ones for ABAC and ALFA) which list implementations but also use cases. You have quite a broad range of commercial and open-source alternatives.

In ABAC, you tend to try to write authorization policies independently of the underlying technology. This means that whether access is via APIs or via a webpage should not matter in defining the authorization.

The key questions you want to ask yourself are:

• Are there relationships in authorizations? E.g.
  • a user with role='manager' can do action = 'view' on object = 'record' if object.organization == user.organization.
• Do I care about auditing the authorization? Do I need to prove my compliance?
• Do I need context and runtime attributes e.g. time and location?
• Do I need to apply the same authorization logic across multiple apps, APIs, and data?
• Do I need to regularly update my authorizations?

If you answered Yes to one or more of the above questions, you likely need ABAC.

Answer 2

You can find a list of XACML implementations on the dedicated Wikipedia page. To address your use case which is very RBAC-oriented, I would use the RBAC Profile of XACML, so make sure the implementation you choose supports that.