The Convergence of Personalization and Authorization

Mark Berg   ·   Wednesday, March 1st, 2017

A founder of a former company said something to me as we closed the doors, “I wish I built a tiered subscription model at the start.” He went on to describe how many companies give up too much capability with their initial release, then when it becomes popular, they can’t grow or easily provide limited capability to potential prospects who only need a portion of what the company offers.

There is a niche of providers that offer personalization engines for e-commerce sites to help craft a shopping experience based on traits of the customer, such as geo-location, browsing history, and previous transaction history. E-commerce companies recognized long-ago that it is not a one-size fits all world and that if the site knows you, you will engage more with the site.

If you compare personalization with authorization, you’ll find that it’s not that much different from a rules standpoint. Let’s take a example tiered subscription plan and model it. Our example will be a financial advisory service with online content. Let’s say the application owner wants to have four levels: Platinum, Gold, Silver and Bronze. Today, each subscription level gets access to different capabilities in the site:

Modeling these rules is simple in Axiomatics:

Drilling into one of these rules:

Now let’s look at the rules that govern who gets what subscription for our example:

Now this is getting more interesting! The business now has the ability to drive access to premium or general content based on a user’s social influence and willingness to spread awareness, willingness to contribute to the content repository, or active subscription.

Axiomatics provides a rich expression language for defining these rules, featuring “search as you type” for functions and attributes.

Axiomatics’ policy editor provides Eclipse-like real-time compiling of policies for determining if they are well formed:

In cases where attributes are stored in external repositories or cloud providers, attribute connectors can be defined to pull those values at runtime. Using our example, let’s say the status of the subscription for the user is stored in SalesForce CRM. Using a REST attribute connector, Axiomatics can query first for an OAuth token, then pull from the SCIM service to query subject attributes about the customer to determine whether the subscription is Enterprise, Basic or Trial.

From the application developer’s standpoint, the work becomes an exercise in externalizing the decision to render content, rather than coding personalization into the application! An example of the JSON object that represents the personalization request for Matt to view a premium article:

{

   “Request”: {

       “AccessSubject”: {

           “Attribute”: [

               {

                   “AttributeId”:“com.acme.user.identity”,

                   “Value”:“matt.carter@axiomatics.com“

               }

           ]

       },

       “Resource”: {

           “Attribute”: [

               {

                   “AttributeId”:“com.acme.object.objectType”,

                   “Value”:“article”

               },

  {

                   “AttributeId”:“com.acme.object.objectType”,

                   “Value”:“premium”

               }

           ]

       },

       “Action”: {

           “Attribute”: [

               {

                   “AttributeId”:“com.acme.action.actionId”,

                   “Value”:“view”

               }

           ]

       },

       “Environment”: {

           “Attribute”:[]

       }

   }

}

Returning an object that the developer can key off to enforce the personalization rules:

{

 “Response”: {

   “Decision”:“Deny”,

   “Status”: {

     “StatusCode”: {

       “Value”:“urn:oasis:names:tc:xacml:1.0:status:ok”

     }

}

All of the governance and lifecycle of these personalization rules would need to be held to the same rigor as security policies, because this is the business. The lifecycle of policy, including design, model, test, deploy, and certify are facilitated by Axiomatics products.

The lines between business and security rules are blurring. The same principals of granular enforcement, auditing, and dynamic orchestration apply to both, so why shouldn’t the products converge? Axiomatics offers the best solution for externalized authorization in the industry and could be leveraged in lieu of buying a separate personalization product. Give the business the opportunity to grow through tiered subscription and don’t give away everything all at once to your valued subscribers.

If you’re mulling your options with regards to building tiered subscriptions and personalization, contact webinfo@axiomatics.com and we can provide expert services to model your subscription and provide a try-before-you-buy service where you can test your scenarios.