Background
There are multiple rules to be evaluated in order to authorize user access. IAM domain is mainly responsible for generic or business domain-agnostic rules such as end user session inactivity duration, device fingerprinting, IP addresses, GEO location, etc. On the other side of the spectrum there are business domain specific rules which are related to evaluation of the customer-to-product role (e.g. account owner), checking of different kinds of limits, etc. These are in the responsibility of the particular business domain’s services.
However, there is kind of a grey zone between these two groups which includes rules such as
Multiple transactions in a short time period should trigger additional verification
Multiple transactions with a high amount should trigger additional verification
Changing multiple account details within short period of time should trigger additional verification
Triggering of back office action in certain circumstances
Etc
To implement these rules the responsible system needs to understand the semantics of the relevant actions and maintain a set of counters and/or other mechanisms.
To further enhance the effectivity of the authorization rules while keeping a high level of the UX, it would be natural to introduce a ML mechanism with capabilities to maintain user’s behaviour profile that can be used for adaptive risk assessment of the user’s activity.
Options considered
Domain services responsible for all domain-related authorization rules | Centralized solution for authorization rules | |
|---|---|---|
Description | Definition, evaluation and enforcement of all authorization rules that need to process any business domain specific data are in sole responsibility of the particular business domain micro-service. Forgerock is responsible for generic and business domain-agnostic rules only. | Centralized solution for definition, evaluation and enforcement of all authorization rules. Business domain micro-services delegating authorization to Forgerock solution. |
Pros and cons |
|
|
Estimated cost | LOW | MEDIUM |
No business domain specific data needs to be synchronized to Forgerock
No straightforward possibility to implement authorization rules mixing data from multiple domains and generic IAM specific data
Outcome
Decentralized approach where each business domain micro-service is responsible for its own domain-specific authorization rules will be implemented. Forgerock will be in charge of generic IAM authorization rules only.
Integration with real-time fraud prevention risk engine within the user authorization workflow will be orchestrated by individual business domain micro-services.
Attachments:
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)
iam-decition.drawio (application/vnd.jgraph.mxfile)
iam-decition.drawio.png (image/png)
~drawio~620d181df97d180071744bea~iam-decition.drawio.tmp (application/vnd.jgraph.mxfile)