Home > Overview > Concepts > Policies

Cloudentity ACP authorization policies

Policy concept

As the core of Authorization Control Plane (ACP), authorization policies introduce the multilevel authorization as the response to modern access control requirements.

Authorization validators

Authorization policies are built around the authorization validators concept, which covers a vast range of authorization control mechanisms, including:

  • Current user attributes and roles,
  • Device context (for example, location, known/unknown status, attributes),
  • Application attributes,
  • Current request context,
  • User authentication (MFA) checks,
  • User permissions,
  • Privacy and consent (PII),
  • Custom-built validators,
  • Conditional (allowing to build a complex validation logic),
  • Embedded policy (allowing the reuse of policies),
  • Others.

Policy editor

ACP comes with a user-friendly policy editor UI, which can be used by non-developers to quickly understand and create their own policies with no need to understand or read code or configuration.

CI/CD

ACP authorization policies are easy to integrate into your CI/CD pipeline. Policies can be written in a user-friendly YAML format and imported easily.

Authorization recovery

Policies introduce the concept of the policy recovery, which allows returning an additional information on the validation failure to the requesting client. The policy recovery enables user-friendly flows and rich client-api integration workflows.

Applying policies

OAuth scope request

When an OAuth client requests authorization, it sends a list of scopes to be granted by the user. Each scope can have an authorization policy assigned. Such a policy gets validated when a consent screen is displayed to the user. If the policy does not authorize the current user and/or the client to get a specific scope, the scope is not granted to the client.

OAuth token issuing

When an OAuth client requests authorization, a policy is validated even before a consent page is displayed to the user. If the policy does not authorize the requesting client, the token is not issued.

OAuth client creation

Policy per client

When a developer creates an OAuth client, a policy is validated to verify if this client can be created by this specific developer. It allows to limit the number of developers who can create a client connected to a particular authorization server.

Policy per scope

While creating an OAuth client, a developer can request scopes to be asked for during authorization. Each scope can have a specific authorization policy assigned. This policy gets validated when a developer lists available scopes in the development portal UI and during the actual client creation request. It allows to limit scopes that a particular client can request.

Note

Cloudentity MicroPerimeter Security can enforce authorization policies during the API access.

Sample Policy