Objectives

Goals

• Define a simple, flexible Application Programming Interface through which authorization functionality can be invoked by both providers of security components and developers of security-aware applications.

• Enable application-transparent evaluation of policy rules to arrive at access decisions.

• Enable central management of policy independent of applications.

• Transparently support a wide variety of authorization policy rule syntax and semantics (for example, ACLs, capabilities, labels, logical predicates, and so on).

• Separate authentication from authorization.

• Permit derivation of authorization attributes from authentication data.

• Transparently support any reasonable authorization attribute type (for example, access identities, groups, roles, clearances, and so on).

• Facilitate authorization in multi-tiered applications.

• Permit externalization of authorization attributes for use in multi-tier application configurations.

• Enable applications to access security policy (entitlement) information applicable to their resources.

• Support a variety of access control mechanisms as implementations of the API.

• Enable simultaneous use by a single application of multiple authentication and authorization services.

• Support application access to audit data related to the operation of the authorization service.

Non-Goals

• Define an API for the administration of authorization policy.

• Specify a service, or semantics, for delegation of credentials.

• Specify an audit service API.

• Specify how and when authorization services should generate audit events.

• Define an interoperable PAC format for the exchange of credential information between heterogeneous aznAPI implementations. (This could be a goal of a future standardization effort or of a future revision of this standard.)
  

• Support every possible authorization policy rule syntax and semantics. (Some policy semantics, for example, "four eyes" policies, may not be supportable by this version of the aznAPI.)