Projects‎ > ‎

Enforcer Representation


Design an Enforcer / Decider that supports fine grain access control.  This Enforcer / Decider should extend the capabilities of the existing SERVLET and ENGINE type Enforcers / Deciders.  This design will have the ability to leverage the Request/Response data (attributes/values), in addition to the Operation, Principal and Resource to determine if a given Request/Response will be allowed.

Related project: Authorization


  • Enforce fine-grain access policies using the data (payload) that is related to a given Request / Response.
  • Leverage existing Request information: Operation, Principal, Resource
  • Support both inbound and outbound enforcement
    • inbound: Requests from the Engine (Resource) to the Framework (Representation)
    • outbound: Responses from the Framework (Representation) to the Engine (Resource)
  • Offer the ability to block / mask / redact data (usually related to a Response)

Use Cases

Limit update to certain attributes in a Request

The current authorization implementation can be configured to allow the authenticated user (principal) to perform UPDATE operations on their own resource.  This fine-grain authorization project should allow for a policy that would deny/allow the update of specific attributes for the user's own resource.

Block sensitive attributes in a Response

The current authorization model can enforce the Read operation of a resources.  This is "all or nothing".  There is a need to limit what attributes can be read from a given resource, based on the principal (SYSTEM, USER, ANON).  Sensitive data, such as a user's forgotten password challenge answers, should only be readable by the resource's owner.  If a read is performed by the non-owner principal, the sensitive attributes (within the record) should be excluded or masked.


 Type Description Example
OperationThe operation code UPDATE 
PrincipalThe Subject / User that is performing the OperationUSER::bsmith
ResourceThe Resource that is being effect by the Operation.../subjects/bsmith
Data The payload / data related to the Operation{ "title" = "Jedi Master" } 


  1. Inbound 
    1. The Request has passed the SERVET and ENGINE authorization Enforcers
  2. Outbound
    1. Configurable behavior if the policy evaluated to DENY (READ / SEARCH):
      1. Generate / return an error with no output
      2. Remove a related entire attribute from the data
      3. Alter the attributes value in the data