Authorization

Within some parts of Adaptive Framework, a decision has to be made on whether to permit an operation or not. These decisions may invoke external logic to execute through a process collectively known as Authorization. For instance, when a client wishes to update the property of an object, or request that a new extension be loaded, or a service to be stopped, we invoke Authorization code, when such code is available. This gives administrators the ability to plug in their own authorization logic, and to make decisions based on business policy.

How Adaptive Framework locates the appropriate Authorization policy to invoke somewhat depends upon the operation being performed. Some authorization logic can be specified at the Application level, which will apply to all decisions. Other authorization logic may be declared on just a particular service, so that its decisions will only apply to operations pertaining to an adaptor being used.

An authorization decision in Adaptive Framework borrows heavily from the way XACML defines it: Can a Subject perform a particular Action on a particular Resource within a given Environment? Authorization scripts are provided access to each of these parts in order to render a decision.

The previous diagram illustrates the steps that are taken from the start of a client request to the response that is returned. The Authentication in steps (2) and (3) are optional, but they are steps that are often taken when an un-verified client wishes to make a request for data. The role of Adaptive Framework does not really start until step (5), when all of the subject information has been gathered and that will be needed in order to make an authorization decision.