Authorization Policy Enforcement Levels
Organizations may enforce access control at any level needed: organization, service (feature), and resource (API) to prepare the most secure perimeter around their platforms and data.
Enforcing Access Control at Organization Level
You can set up access control for your whole organization by applying authorization policies at a workspace level.
Enforcing Access Control at Feature Level
Feature access can be controlled by applying authorization policies at the service level. Such practices can be used, for example, to enforce subscriptions and give access to features only to organizations who have an active subscription.
Enforcing Access at Resource Level
To enforce access control at resource level, authorization policies need to be applied at the API level. This way, you can, for example, decide that only an admin user can see other user’s phone number.
Policy Execution Points
Cloudentity facilitates centralized management of policies, allowing organizations to assign them in a multi-dimensional manner for enhanced security.
Authorization policies can be assigned:
To client applications: This allows control over who can access your application, with the enforcement of Multi-Factor Authentication (MFA), permissions, and other security measures.
At the authorization server level: This level of assignment helps control which users or machines can obtain security tokens, and can block token issuance for suspicious requests.
To scopes: This enables control over who can grant and who can request a given scope of access. MFA can be enforced when granting consent to a particular scope.
At the API request level: This helps unify authorization for microservices within a Service Mesh and beyond, allowing the discovery and protection of APIs deployed behind a gateway. This level of policy assignment ensures a uniform authorization strategy across various services and API endpoints, enhancing the security posture.