The wrestling match is covered in my earlier post.
Let me insert my favorite punch line before I mention the best practices.
Authentication is finite while Authorization is infinite.
Best practices for access control:
1. Know that you will need access control/authorization.
2. Externalize the access control policy processing
3. Understand the difference between coarse grained and fine grained authorization
4. Design for coarse grained authorization but keep the design flexible for fine grained authorization
5. Know the difference between Access Control Lists and Access Control standards
|Fig: Typical XACML Fine Grained Access Control Architecture|
6. Adopt Rule Based Access Control : view Access Control as Rules and Attributes
7. Adopt REST Style Architecture when your situation demands scale and thus REST authorization standards
With the growing demand for web based services and APIs and the proliferation of mobile devices in the world, it has become essential to incorporate REST style architecture to your system design.
It is essential for you to use OAuth2 standard for REST authorization. While OAuth2 takes care of defining the tokens and some rules for authorization (scope of authorization and actor/resource), it may still be essential for system architects to incorporate fine grained authorization. Certainly give a look at the REST Profile of XACML v3. There is also JSON binding available.
8. Understand the difference between Enforcement versus Entitlement model
Prominent access control strategies and standards involve the Enforcement model. The access control system is trying to enforce access to a resource. This leads to a Yes/No type question. The enforcement model does not scale in a cloud or a resource constrained environment.
Entitlement model is where in the access control system does not perform enforcement or access checks. Rather it answers questions such as "What permissions does this user have?". The question seeker will then use the returned answer to perform local enforcement.
|Cloud Enforcement vs Entitlement Model|