Access management
Can the user access the service after establishing their identity? Nope, they can’t. After authentication, an access control option must be selected. The decision about whether or not the user can access a particular service is based on the information available about the user. Personality qualities come into play at this point. However, if the authentication technique is adequate for supplying the required set of characteristics to the access control decision point, the system assesses the attributes to make a yes/no decision.
A formalized decision point is made by an authorization policy. The authorization policy in the IAM domain can be applied centrally, locally, or even in both places. The identity provider’s duty is to aggregate the available identity attributes and make high-level access decisions from the online service side. Making an authorization policy framework that is service-level functional is a bad concept since it adds complexity...