Versatile Access Control
To facilitate progressive profiling and access control, miaa Guard offers miaa PolicyChecker. Its power is in enabling harmonised and externalised secure access control enforcement, simply based on a configured policy.
miaa PolicyChecker produces ‘access decisions’ for coarse-grained access control, for fine-grained access control, and for conditional progressive profiling. This enables you, for example, to distinguish between visitors, consumers, registered customers, professional customers and employees. This also facilitates secure progressive profiling whereby you can ask the user to enter additional details before proceeding.
Typical coarse-grained rules:
- user profile must have a confirmed e-mail address
- user status must be ‘active’
- user must have accepted the most recent T&C’s
Typical fine-grained rules:
- user must have an age that is more (or less) than N years, for example to implement an ‘age-gate’
- user must have a valid subscription, for example to enforce a ‘pay wall’
- user must be a customer with a customer-ID, for example to enable billing portals to constrain access to the user’s own invoices only, and to enable booking portals to constrain access to the user’s own agenda only
- user must live in a whitelisted country, for example to limit participation to a contest to French residents only
- user must have an appropriate role or qualification, e.g. is-paying-customer, is-authorised-supplier or is-own-employee.
Typical conditional progressive profiling rules:
- user must indicate the birth year before proceeding
- user must indicate the postal address before proceeding
- user must enter a ‘party coupon’ that is printed on a paper invitation
- user must have reviewed or refreshed his profile in the past 3 months, and if not, he must first go to the edit-profile screen.
The PolicyChecker enables you to centralise the governance of the access policy. With the PolicyChecker, the logic of evaluating the rules becomes consistent and harmonised across all your digital properties. Whether the person is asking access through a browser or a mobile app, the PolicyChecker produces its access decision the same way. And whether the person is asking access to a regular website or a third party platform, such as a gamification engine or a video streaming service, the PolicyChecker that you configure is in control. As such, the decision process can be harmonised across all end user devices and across all your content delivery servers. Yet, the rules can be assigned on a property by property basis, when appropriate: which rules apply at a certain website, mobile app or other content server, and with which parameters.
The PolicyChecker greatly simplifies coding to be done by front-end developers for access control. In fact, it reduces coding effort to a single check ‘do I have an “OK” token or not’ that can be simply be replicated on every web server and in every mobile app. This is thanks to the PolicyChecker that has the logic to securely obtain the user profile, to securely evaluate the access rules and to maintain which access rules apply for a particular website or app.
The PolicyChecker performs its logic securely: it cannot be tampered with by the end user, nor by a third party platform provider or agency. Moreover, the PolicyChecker securely accesses the user profile and does not count on data stored in the browser, in the mobile app or on the web server.
The PolicyChecker takes into account any attribute in the user profile, including timestamps. Additionally, it can take certain context into account, such as type of device, the property being accessed and the date & time. As such, all the rules illustrated above can be implemented out-of-the-box.