Authorizer Overview

The Access File Authorizer supports Authorization enforcement in an offline manner, enabling bulk Authorization calculation and managing authorization decision states. It processes data and generates access files in specific templated structures, which offline systems can consume, legacy technologies that can't integrate directly, and other use cases such as administration time access provisioning and access reporting/auditing. This is particularly suited for systems that
lack integration points for Runtime calculation or enforcement, but require dynamic, Policy-based Authorization managed centrally in PlainID.

General Operation Flow

The Authorizer process flow follows these main steps:

• Load Subject Data from a predefined source and store it in an operational database deployed for the Authorizer.

  • This data represents the population for which authorization is calculated.
  • A common use case involves a full or partial set of organization identities, where authorization is calculated and output to an access file.
  • Note: Only subject IDs and attribute checksums are stored to avoid duplicating your data source.

• Process PDP Requests for all subjects in the population and store the results in the operational database.

  • PDP requests are generated iteratively and processed in parallel.
  • Access decisions or error responses are stored for each subject as an access state.

• Generate an Access File based on the subject's access state saved in the database and the file template.

This flow outlines how the Authorizer operates:

• Running a full subject population vs. running only over-updated subjects.
• Using Identities or Assets as subjects with the relevant PDP flows.
• Executing multiple flows within a single job.
• Choosing between manual and scheduled job execution.

Initiation

1. An access file is generated, initiated either by an administrator or automatically through a scheduling mechanism.

Phase 1
2. The Authorizer reads a list of subjects from the client’s data source.

Phase 2
3. The Authorizer writes the retrieved subjects to an operational database.
4. The Authorizer queries the PDP to calculate an Authorization Decision for each subject.
5. The PDP's access decisions are stored in the operational database for each subject.

Phase 3
6. The Authorizer generates an access file for all subjects and saves it in the storage volume.

Access Usage
7. Applications retrieve and use the access file to enforce user access.
8. User actions in the Application are approved or denied based on the Authorizations provided in the access file.

Participating Components

• Access File Authorizer Service - The Authorizer Service manages the complete process, including data fetching and persistence, access processing, and output file generation.

• Operational Database - Stores Subject population, Authorization Decisions and processing status.
• PDP - Calculates Authorization Decisions based on policies and data.
• PIP - Integrates with external data sources to provide user population and other required data.
• Redis - Stores and manages job scheduling data and execution using Redis queuing.

• Scheduler - Oversees the execution of configured job flows, utilizing cron-based scheduling, concurrent job handling, a locking mechanism, and status tracking and history.

Refer to the following articles for more information:
Installing and Configuring the Authorizer
Using the Authorizer
Ongoing Maintenance, Monitoring, and Logging