PlainID Identity Security Posture Management Blog

How to Evaluate RFPs for Your Company’s Authorization Solution

Written by Daniel Brudner | Nov 27, 2018 1:26:38 PM

Filtering Out the Fluff

It’s no surprise that the increasing complexity of IT systems, networks, and applications makes it ever more difficult to select the right Externalized Authorization Management (EAM) provider.  Every EAM solution offers different features. When evaluating RFPs for Authorization Solutions, all you have to do is filter through them all and figure out which ones are critical, which ones are “nice-to-have”, and which ones are the least important for your business. With all the marketing hype and sales pitches that’s not an easy job, especially for the uninitiated. When you receive RFPs from your shortlist of vendors, you’ll need to separate the important features from the marketing fluff to give your organization the protection it needs. Here are our recommendations for the critical features to look for in an EAM solution.

Not Just a Pretty Face


An EAM system with a Policy Administration Point (PAP) that has a user interface (UI) only a programmer would love makes it difficult and frustrating to manage, create, and edit policies. Sure, you could spend your time learning how to do it the hard way, but most of us prefer not to waste our time. Also, when multiple stakeholders are involved, you’ll want the system to be easily understood by all. So select an EAM that has an easy-to-use graphical interface that provides an intuitive way to view and access decisions and policies.

Impact Analysis:  Define, Analyze, Deploy

Just like most decisions that organizations make, changes to authorization policies must be based on some sort of evidence that it will be beneficial to the company. Therefore, the solution that you choose must have a way for you to see a visual representation of the impact of policy changes before they are deployed. A graphical impact analysis dramatically reduces the risk of failure because you can ask a series of “what if” questions, such as: what if we change the policy to restrict access to a certain asset based on new environmental criteria? You can then see whether or not the proposed policy change will provide the desired effect or and then either deploy it or tweak the changes until you are satisfied, and only then deploy the new policy.

Policy Decision Point: Runtime, Not Downtime

The Policy Decision Point (PDP) is the component of an EAM system that authorizes or denies user access requests (based on both attributes and policies). This critical juncture of the authorization process must support runtime authorization. An inability to process requests on-the-fly and in real-time at the PDP stage will bring the entire system to a halt. When selecting an EAM system, it is absolutely vital that it can demonstrate the ability to evaluate simple or complex attributes, such as assets, identity, environment (e.g. when should someone be allowed to access an asset - when they are working from home, only when they are physically at the data center, or maybe when the server moves from QA to production, etc.) and policies. It must be based on information provided by the requestor (such as their username and password) and environmental indicators (location, time of day, etc.), and then execute policies and make access decisions in real-time.

Bringing the Data Sources Home

When the EAM system needs to gather policy data from across your network, it is at the Policy Information Point (PIP). According to the National Institute for Standards and Technology, PIP “serves as the retrieval source of attributes, or the data required for policy evaluation to provide the information needed by the PDP to make the decisions.”

The EAM must be able to access data attributes from multiple data sources, such as Microsoft Active Directory (AD), LDAP, SQL, REST, OpenID Connect (OID), and JSON Web Token (JWT). If limited to only one data source, the EAM will be ineffective.

Furthermore, the system needs to support flexible data models so that your templates can be used in the policy to make authorization decisions. For example, you should be able to build decisions into the system to access documents, projects, and workflows, or other abstract assets. You will also want the system to support field-level assets: limit access not just to the project, but also to specific fields within the project. Keep in mind that there are various authorization protocols, all of which are in widespread use which the system needs to support, such as OAuth, XACML, JWT, Access Token, data filtering tokens, and adapted APIs.

Comply With Confidence

An important aspect of authorization management is making sure that your policies comply with regulations and audit requirements. The EAM system you choose should provide you with the identities and resources connected to each policy. Failure to have this information on-hand could result in fines and loss of trust, which is why you should ensure that whichever EAM system you choose presents you with this information whenever you need it and in a way that is simple to understand.

Related to compliance is another requirement that you should consider as a key component of your EAM system: audits and logging. Select a system that provides you with a solid auditing module with logs that are available for you to view and download as necessary.

Additional Features

It might seem obvious, but the following features can sometimes be forgotten when vendors list  bells and whistles you might not need:

  • The ability to interact with the product programmatically, if necessary
  • A scalable and flexible architecture - options for both on-premises and cloud installations
  • Scalable capacity that supports many simultaneous requests and that can grow with your organization

So, What Are You Looking For?

Make sure that the EAM you select has all of these features: a graphical UI, impact analysis features, runtime authorization, can support all data sources, provides compliance tools, is flexible, scalable, and can be interacted with programmatically. Now that you know what you are looking for, you can select your EAM vendor and product with confidence.