Solutions
title: “TAM Solution” description: “Solution of Trimble Access Management” lead: "" date: 2020-10-06T08:48:57+00:00 lastmod: 2020-10-06T08:48:57+00:00 draft: false images: [] menu: docs: parent: “overview” weight: 105 toc: true
Technologies have been identified and chosen for Trimble Access Management. Internally, these components may change over time, but Trimble Access Mangement itself should allow for those technology changes to happen with minimal impact on other business systems.
Type
Attribute Based Access Control (ABAC) provides us the greatest flexibility when it comes to making policy decisions. This allows us to implement other access control types as needed in order to simplify user experience.
Engine
Open Policy Agent (OPA) has been chosen as the internal engine for Trimble Access Management (TAM). It is the leading engine when it comes to ABAC implementation, has well defined examples, and industry usage examples. The TAM system has been designed to allow flexibility for future engines and adapt to changes over time in the industry.
Declarative Policy Langauge
In order to define rules and policies, a declarative language must be used to perform evaluation. Other authorization engines use Google’s Common Expression Langauge or Cedar, though the OPA Engine uses a language called Rego.
If we take a look at Example #1, we can turn the pseudocode provided into a real example. Imagine we have our Salary API with a URL path of /finance/salary/<<username>>. See the following Rego code below:
package salary.example
default allow := false
# Allow users to get their own salaries.allow { input.method == "GET" input.path == ["finance", "salary", input.user]}Rego
There are great tools that can be used to help develop policies with Rego:
-
Trimble Access Management Playground is an internal trimble tool that allows for policy testing in browser (and supports pulling data from Trimble remote data sources).
-
Rego Playground is a great tool that allows for policy testing in the browser (though does not support pulling data from Trimble remote data sources).
-
Open Policy Agent Visual Studio Code Extension is a great way to help test and debug policy.
-
Policy Testing Guide can be used to verify the validity of a policy.