« When Second Best is Better | Main | Why Moats Matter »


TrackBack URL for this entry:

Listed below are links to weblogs that reference Reverse Queries for Authorizing Access:



I see why this is good from a performance point of view. But it seems like you lose a lot of auditing that you'd otherwise get at the PDP because it would see every request. (Additionally, you have the same format of the audit trail across diverse applications.) Any suggestions on how to reclaim that auditing?

Gerry Gebel

@Blindsuccess The ARQ module is similar to the PDP in that audit logs are also kept. In this manner, you can track all requests to the database, know what policies were evaluated, the attributes used in policy evaluation and the results - the output of the ARQ service.


Right, but in the traditional PDP model, you get something like this:

Can Alice read Doc1?
-> Yes.
Can Alice read Doc2?
-> Yes.
Can Alice read Doc3?
-> No.

So, you'd know that Alice tried to read all those documents, irregardless of what application she was using.

With the ARQ (if I understand it correctly), you'd get this:

What can Alice read/write?
-> Read: Doc1, Doc2; Write: None

So, you lose the trail of the individual things that Alice attempted to do. All you know is that Alice tried to do *something*.

If your application has good audit logs, you can use that source. However, the quality and verbosity of audit logs of applications is often suspect, and you lose a lot of fidelity comparing logs from different applications. This was one benefit of a PDP: a sole, standard format for the audit data across many applications.

Gerry Gebel

@Blindsuccess: In the regular PDP model, you know what the resource is, so you get the kind of audit log described in your last comment. However with ARQ, you don't know all the resources that a particular policy will be applied to - and this is the challenge when you have millions or even billions of records in a system.

But you still get a clear audit trail for the access that was attempted. Instead of:

Q: Can Alice read record 1?
A: Yes -or- No

You get:
Q: What records can Alice read?
A: Any record in the same region as Alice and has a classification =< Alice's clearance

Hope that helps

The comments to this entry are closed.