Versatile Access Control

To facilitate progressive profiling and access control, miaa Guard has developed the miaa PolicyChecker module, belonging to the miaa Cloudware suite. Its power is in enabling harmonised and externalised secure access control enforcement, simply based on a configured policy.

The PolicyChecker produces ‘access decisions’ for coarse-grained access control, for fine-grained access control, and for conditional progressive profiling. This enables you, for example, to distinguish between visitors, consumers, registered customers, professional customers and employees. This also facilitates secure progressive profiling whereby you can ask the user to enter additional details before proceeding.

Typical coarse-grained rules:

  • user profile must have a confirmed e-mail address
  • user status must be ‘active’
  • user must have accepted the most recent T&C’s

Typical fine-grained rules:

  • user must have an age that is more (or less) than N years, for example to implement an ‘age-gate’
  • user must have a valid subscription, for example to enforce a ‘pay wall’
  • user must be a customer with a customer-ID, for example to enable billing portals to constrain access to the user’s own invoices only, and to enable booking portals to constrain access to the user’s own agenda only
  • user must live in a whitelisted country, for example to limit participation to a contest to French residents only
  • user must have an appropriate role or qualification, e.g. is payingCustomer, authorisedSupplier or ownEmployee.

Typical conditional progressive profiling rules:

  • user must indicate the birth year before proceeding
  • user must indicate the postal address before proceeding
  • user must enter a ‘party coupon’ that is printed on a paper invitation
  • user must have reviewed or refreshed his profile in the past 3 months, and if not, he must first go to the edit-profile screen.

Please refer to Role-based accessAttribute-based accessScalable B2B access and On the use of passwords for some use cases.

Your benefits

Central governance

The PolicyChecker enables you to centralise the governance of the access policy. With the PolicyChecker, the logic of evaluating the rules becomes consistent and harmonised across all your digital properties. Whether the person is asking access through a browser or a mobile app, the PolicyChecker produces its access decision the same way. And whether the person is asking access to a regular website or a third party platform, such as a gamification engine or a video streaming service, the PolicyChecker that you configure is in control. As such, the decision process can be harmonised across all end user devices and across all your content delivery servers. Yet, the rules can be assigned on a property by property basis, when appropriate: which rules apply at a certain website, mobile app or other content server, and with which parameters.

Cost efficiency

The PolicyChecker greatly simplifies coding to be done by front-end developers for access control. In fact, it reduces coding effort to a single check ‘do I have an “OK” token or not’ that can be simply be replicated on every web server and in every mobile app. This is thanks to the PolicyChecker that has the logic to securely obtain the user profile, to securely evaluate the access rules and to maintain which access rules apply for a particular website or app.
The PolicyChecker not only saves on programming effort: it can also greatly reduce the user administration efforts of the back office when combined with the miaa ProfileValidator: see more  Role-based access.

Security

The PolicyChecker performs its logic securely: it cannot be tampered with by the end user, nor by a third party platform provider or agency. Moreover, the PolicyChecker securely accesses the user profile and does not count on data stored in the browser, in the mobile app or on the web server.

Versatility

The PolicyChecker takes into account any attribute in the user profile, including timestamps. Additionally, it can take certain context into account, such as type of device, the property being accessed and the date & time. As such, all the rules illustrated above can be implemented out-of-the-box, using our Build services.

Managed lifecycle

The miaa PolicyChecker is designed, set-up and operated using our Taking care managed lifecycle.

During the Build phase, our integration services will:

  • Coordinate with web developers, mobile developers, IT, Identity Management Platform vendor and any third party platform vendor in scope
  • Tailor the rules to be adopted by the PolicyChecker
  • Tailor the configuration settings and API endpoints