What is TAM?
What is TAM?
Trimble Access Management (TAM) is an appliance ecosystem that promotes decentralized authorization decisions. It allows organizations to decouple policy decision-making from application logic, making it easier to manage and enforce policies consistently across distributed systems.
TAM adopts the principles of Open Policy Agent (OPA), enabling declarative policy, architectural flexibility and providing tools for policy authoring. It uses Rego, a declarative policy language, to define and evaluate policies. TAM integrates with cloud-native environments such as Kubernetes, microservices, API gateways, databases, and more.
TAM Overview and Demo Recording: TAM - Overview
Why Trimble Access Management(TAM)?
TAM provides a centralized and declarative way to enforce policies across diverse systems, ensuring security, compliance, and scalability.
Here’s why TAM is a game-changer for policy enforcement:
1. Decouples Policy from Application Logic
Without TAM: Authorization rules are hardcoded inside applications, making changes time-consuming and risky.
With TAM: Policies are externalized, meaning applications query TAM for decisions. This simplifies maintenance and enables dynamic policy updates without redeploying code.
Example:
- Instead of defining access logic inside a microservice, TAM evaluates access requests dynamically using policies written in Rego. This approach enables more flexible and independent authorization updates without affecting the core functionality of the microservice.
2. Unified Policy Enforcement Across Cloud-Native Environments
TAM enables consistent policy enforcement across:
- Kubernetes (Admission control, Network policies)
- API Gateways (AuthZ policies)
- Microservices (RBAC/ABAC)
- Infrastructure (Terraform, AWS, GCP security policies)
- CI/CD pipelines (Code security checks)
Example:
- TAM ensures that only signed container images from a trusted registry are deployed in Kubernetes.
###3. Fine-Grained Access Control (RBAC & ABAC) TAM supports:
- Role-Based Access Control (RBAC) – Access based on user roles.
- Attribute-Based Access Control (ABAC) – Access based on attributes like department, time, location, etc.
Example:
- Only engineers in the US region can access production databases between 9 AM - 6 PM.
4. High Performance & Scalability
TAM is high-performance and scalable due to in-memory policy evaluation, caching, optimized execution, and distributed deployment, ensuring fast and efficient decision-making.
Examples:
-
In a Kubernetes cluster, TAM can quickly decide whether a user can deploy a pod without querying a database, reducing latency and improving efficiency.
-
In a microservices setup, an API gateway queries TAM for access control decisions, and since TAM evaluates policies in-memory with caching, it responds in milliseconds without external database calls.
5. Built-in Audit & Compliance
Provides visibility into policy decisions, helping organizations meet compliance requirements and track access logs.
TAM logs every policy decision, helping teams track:
- Who accessed what?
- Why was a request allowed/denied?
- Does our system comply with compliance requirements?
6. Easy Integration with Existing Tech Stack
TAM integrates with:
- Cloud Platforms (AWS, GCP, Azure)
- Kubernetes (Gatekeeper, ValidatingAdmissionWebhook)
- API Gateways (Kong, Envoy, Nginx)
- Service Meshes (Istio)
- CI/CD Pipelines (GitHub Actions, Jenkins)
Example:
- A CI/CD pipeline checks Terraform infrastructure changes against TAM policies before deployment.
7. IAM
Enhanced Access Control with Rego Built-in Methods for IAM Role Retrieval
With the introduction of a Rego built-in method in the TAM appliance, businesses can now seamlessly retrieve user roles directly from the Identity and Access Management (IAM) system. This built-in functionality simplifies policy enforcement, enhances security, and reduces the need for custom role-fetching implementations. This feature enables organizations to:
- Dynamically enforce policies based on real-time IAM role data.
- Eliminate dependency on external API calls for role fetching, reducing response times.
- Improve security by ensuring access decisions are based on the latest role assignments.
Refer to the below TAM documentation for more details.
Standardized and Reusable IAM Authorization Policy for Efficient Access Control
A common and reusable policy has been developed for IAM authorization using Rego built-ins to retrieve permissions
from IAM for evaluation. This enhancement streamlines authorization decision-making and simplifies IAM integration
for various use cases.
Policy reference
Business Use Cases of TAM
1. Access Control in Cloud-Native Applications
Scenario: A Product wants to enforce strict access controls on sensitive data in its microservices architecture.
Solution: TAM can enforce fine-grained access control (ABAC/RBAC) based on user roles, request context, and security policies.
2. Kubernetes Admission Control
Scenario: A DevOps team wants to restrict Kubernetes deployments to only signed container images from a trusted registry.
Solution: TAM can integrate with Kubernetes Admission Controllers to validate and enforce security policies before deployment.
3. API Authorization and Security
Scenario: An e-commerce platform wants to ensure only authorized users can access certain APIs based on their subscription plans.
Solution: TAM works with API gateways (e.g., Kong, Envoy) to enforce API authorization policies dynamically.
4. Compliance and Governance
Scenario: A PX organization needs to comply with employment laws and workplace regulations and ensure that only authorized personnel can access employee records.
Solution: TAM helps enforce governance policies, ensuring compliance by restricting access based on policy rules.
5. Infrastructure Security and Configuration Management
Scenario: A cloud operations team wants to ensure that all deployed cloud resources comply with organizational security policies.
Solution: TAM integrates with Terraform, AWS, GCP, and Azure to enforce security best practices on infrastructure configurations.
6. Secure CI/CD Pipelines
Scenario: The organization wants to prevent insecure code from being deployed into production.
Solution: TAM can be integrated with CI/CD pipelines to automate policy enforcement, ensuring only compliant code is deployed.
Summary
| Feature | Without TAM | With TAM |
|---|---|---|
| Policy Management | Hardcoded in apps | Externalized, centralized |
| Scalability | Difficult to enforce across service | Unified enforcement |
| Access Control | Limited (RBAC) | Advanced (RBAC + ABAC) |
| Performance | Slower, app-dependent | Optimized, high-speed |
| Compliance | Manual tracking | Built-in logging & audits |
| Integration | Custom coding needed | Plug-and-play with cloud-native tools |