Entitlements, Roles and Groups in Identity Access Management

An article, posted about one month ago filed in roles, groups, technology & it.

Sometimes I get confused by terminology. And many of the marketing pages that reply to such queries don't really help. So I here is my simple breakdown of these terms in relation to each other.

Entitlements

Entitlements are Granular Permissions. Entitlements represent specific rights or privileges and are the building blocks of roles and can be assigned individually or as part of a role.

Example: An entitlement might be "Access to Premium Reports". This entitlement can be part of multiple roles, such as "Admin" or "Premium User".

Note that not always entitlements are explicitly exposed, and are roles used in downstream applications to determine the exact entitlements associated with a role. Enterprise applications do attempt to separate these, but there is a lot of additional administration associated with this, especially when applications are extended rapidly.

Roles

Can be considered a collection of entitlements, a higher-level abstraction that groups m…

Continue reading...

Tag descriptor

CentralLogin

An article, posted almost 3 years ago filed in ruby, CentralLogin, gem, rubygem, murb, authorization, authentication, roles, groups, resources, open source, mit, openid & oauth.

A simple OAuth provider. See below for more information, or check out the source of CentralLogin on GitLab. To integrate it with your ruby-apps, use the omniauth-central_login gem.

Continue reading...

Introducing CentralLogin, an OpenID Connect Provider

An article, posted almost 3 years ago filed in ruby, CentralLogin, gem, rubygem, murb, authorization, authentication, roles, groups, resources, open source, mit & oauth.

This app builds on the foundations of the Doorkeeper, Doorkeeper::OpenidConnect and Devise to provide a central login system.

While Doorkeeper supports other OAuth flows, CentralLogin focusses on OpenID Connect as it is a more complete, and hence useful standard, for most use cases where you want to support authentication & authorization.

This project builds on years of juggling with different authentication providers and implementations. It may cut corners to be a pragmatic and less flexible solution which you can host on your own. You don't have to tie your users to a closed authentication system such as Auth0, Azure Directory, Cognito (the horror, really, stay away from it) or something else. In the past I've been a happy user of Keycloak, which is definitely way more advanced than this project, but it in the end it is a Java application and hence harder for me to maintain and not focussed on what I think are the core requirements :)

So, are you in the market for:

  • a…

Continue reading...

murb blog