Skip to content

Solutions


title: “TAM Solution” description: “Solution of Trimble Access Management” lead: "" date: 2020-10-06T08:48:57+00:00 lastmod: 2020-10-06T08:48:57+00:00 draft: false images: [] menu: docs: parent: “overview” weight: 105 toc: true

Technologies have been identified and chosen for Trimble Access Management. Internally, these components may change over time, but Trimble Access Mangement itself should allow for those technology changes to happen with minimal impact on other business systems.

Type

Attribute Based Access Control (ABAC) provides us the greatest flexibility when it comes to making policy decisions. This allows us to implement other access control types as needed in order to simplify user experience.

Engine

Open Policy Agent (OPA) has been chosen as the internal engine for Trimble Access Management (TAM). It is the leading engine when it comes to ABAC implementation, has well defined examples, and industry usage examples. The TAM system has been designed to allow flexibility for future engines and adapt to changes over time in the industry.

Declarative Policy Langauge

In order to define rules and policies, a declarative language must be used to perform evaluation. Other authorization engines use Google’s Common Expression Langauge or Cedar, though the OPA Engine uses a language called Rego.

If we take a look at Example #1, we can turn the pseudocode provided into a real example. Imagine we have our Salary API with a URL path of /finance/salary/<<username>>. See the following Rego code below:

package salary.example
default allow := false
# Allow users to get their own salaries.
allow {
input.method == "GET"
input.path == ["finance", "salary", input.user]
}

Rego

There are great tools that can be used to help develop policies with Rego: