Content deleted Content added
No edit summary |
|||
Line 16:
==Applications==
=== API & Micro Services Security ===
ABAC can be used to apply attribute-based, fine-grained authorization to the API methods or functions. For instance, a banking API may expose an approveTransaction(transId) method. ABAC can be used to secure the call. With ABAC, a policy author can write the following:
- '''Policy''': managers can approve transactions up to their approval limit
- '''Attributes used''': role, action ID, object type, amount, approval limit.
The flow would be as follows:
1. The user, Alice, calls the API method approveTransaction(123)
2. The API receives the call and authenticates the user.
3. An interceptor in the API calls out to the authorization engine (typically called a Policy Decision Point or PDP) and asks: ''Can Alice approve transaction 123?''
4. The PDP retrieves the ABAC policy and necessary attributes.
5. The PDP reaches a decision e.g. Permit or Deny and returns it to the API interceptor
6. If the decision is Permit, the underlying API business logic is called. Otherwise the API returns an error or access denied.
=== Application Security ===
=== Database Security ===
| |||