Entitlement security
One of the main issue with distributed application portal security is that preventing or limiting access to functionality alone may not be the best approach. The complementary alternative is to also control and protect data: content, application resources, and virtual profiles. Once a user is authenticated, if data is entitlement protected and granularity is adequate, users can be provided with more functionality, while still increasing security.

Application logic independence
Next, security checking should be designed to be off-loaded to a dedicated process freeing the business logic from dependency on security configuration, and security configuration made available at run time, with unlimited granularity.

Data access control
Controlling data access, alternately to function access, in a heterogeneous distributed environment is an issue by itself. It is really a more sophisticated task than simply preventing access to functions but it also offers advantages that can not efficiently be achieved differently. Data access control is not a new issue as it was traditionally handled by the database management system in autonomous and client-server environments. But today, data is usually not limited to a single well structured database as it resides in multiple, varied, and distributed sources, some structured, some less. Some data is also available from multiple sources with varying priorities.

Better Structure
Once data and application resources are properly protected, portals and applications can offer extended functionality access to users, yet each user is only provided data that he is entitled to. Additionally, with managed application resource security, security checking can be assigned to dedicated processes, typically on dedicated servers or advanced appliances, freeing application servers from the associated load while also removing dependencies between the application business logic and the security configuration(s), so that, for example, adding or changing defined profiles (types or levels of users) does not imply modifying the applications using the corresponding security configuration.

Unlimited granularity
With proper design, environment, setup, and configuration, unlimited granularity security configuration can be achieved and modified, at run-time as required, even with advanced graphic tools, all, while operating in full production mode.


More ...
More information on DNAOS entitlement services is also available in SOA Admin Client and Entitlement Services.