Skip to main content

Comparison

Conceptually, Akkess is similar to Active Directory for access control and its supporting services enable rapid development of complex application logic and common workflows.

Our position

Our main focus is the authorization layer and to support adjacent functions and services. This is an area where companies often develop their own frameworks or try to model their domain in a third party identity provider. For simpler scenarios and initial development this often works well, but as the system grows and the business requirements become more complex, the need for a more flexible and scalable solution arise.

We've seen many cases where companies have entire development teams working on their own access control system and the idea of Akkess began to take shape to reduce that burden.

What is Akkess?

  • Toolbox for implementing fine-grained access control to an Internet facing system
  • A REST based self-hosted service
  • Manager of available permissions
  • Manager of available roles
  • Manager of user's access rights
  • Audit source of changes made to users and their access
  • Token issuer
  • Multi-tenancy enabler
  • Supporting implementation of GDPR
  • User identity anonymizer
  • A storage of user data (Actor)
  • A storage of resource data and bindings (Node)

What is Akkess NOT?

  • Is not a framework that is put between business logic and database and filters data based on ACLs

    • Akkess is typically hooked in earlier in the call-stack, closer to the endpoint. The endpoint can use information from caller's token to evaluate caller's access and thereafter construct a command to the database that only affects / returns allowed data.

  • Is not a framework that you integrate into your own business logic code via SDKs

    • REST and JWT are the integration points to Akkess. This makes the integration with Akkess less intrusive with clear separation form your own code.

  • Is not an ACL evaluation engine for custom permissions

    • We think that permissions are best evaluated inside the service itself which owns the permissions. Akkess supports with all information needed to make it possible for the service to make its own decision if an action is allowed or not. Not having a central part who evaluates all permissions checks will also decrease risk for single point of failure.

  • Is not an identity provider for end users

    • Akkess works together with end user facing IdPs. A typical flow is that user logs in to the IdP (Google, Facebook, custom) then is the IdP-token used for issue an IAM token which contains the user's access level and is used for accessing services.

  • Is not an user-enrollment tool for end users

    • User enrolment is a quite complex task and is not part of Akkess core. It is typically something that is owned by the system that uses Akkess. There ar great services on the market like Okta, AWS Cognito and PingIdentity

  • Is not a data store for big-data, like time-series data

    • Akkess APIs are not optimized for large scale aggregation, time series queries etc. However the Akkess data structures and its tokens can be utilized in your backend service to enable fine-grained access control.
Copyright © 2019 Akkess