Product Q&As
ForgeRock Identity Platform
ForgeRock Identity Cloud

What types of authorization methods and access controls are offered by the ForgeRock solution?

Last updated Jan 24, 2023

The ForgeRock solution supports authorization policies from simple, coarse-grained rules to highly advanced, fine-grained entitlements. Organizations can ensure that just the right amount of access control is given to each consumer, workforce or thing in your organization.


ForgeRock supports coarse and fine-grained contextual, continuous and transactional authorization. Access control is configured and enforced through the use of several integrated components, including flexible and extensible authentication mechanisms, comprehensive authorization policies, resource agents, agentless access control (using Identity Gateway), and automated account provisioning.

All common forms of access control are supported, including: Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), Policy Based Access Control (PBAC), Risk-Adaptable Access Controls (RAdAC) and Relationship-Based Access Control (RelBAC).

ForgeRock access control components

Flexible and extensible authentication

The ForgeRock solution supports an array of common authentication mechanisms, including LDAP-based username/password, X.509, OATH-compliant OTP tokens, and many more. Authentication journeys can be built to ensure secure access controls are in place, and authentication nodes within the journey can be extended with additional functionality as required.

For further information, see:

Authorization policies

ForgeRock authorization policies determine whether to grant a subject access to a resource. Resources may be web resources, or custom-defined resources representing any arbitrary asset or object such as an API, application or door. Actions are used to represent the operations that apply to the resource, for example, GET, PUT, POST, execute, lock or unlock. Subject conditions represent the identities requesting access, and environment conditions represent the context of the requesting subject, for example, time of day, location, IP address, network, etc.

Scripting is also available to allow you to tailor the actions taken as part of policy evaluation.

For further information, see:

Resource agents

Resources are protected through the use of agents. Several agents are available for common resources, such as web servers and Java applications. These agents interface with ForgeRock Access Management (AM) to request authorization decisions, allowing or denying access to underlying resources as directed.

For further information, see:

Agentless access control

The ForgeRock solution includes an Identity Gateway, which is a reverse proxy that can be configured to protect any web application running on any other technology. Identity Gateway can also protect APIs that may need to be exposed to customers and partners. As it intercepts requests before they reach the protected application, the gateway integration is agentless with little or no changes required to the protected app.

For further information, see:

Automated account provisioning

The ForgeRock solution can implement automated provisioning of accounts and entitlements based on membership of roles. Roles define the privileges for user and device identities.

For further information, see:

Supported access control mechanisms

Access control components work together to enable the implementation of the following common access control mechanisms.

Role-Based Access Control (RBAC)

ForgeRock handles RBAC natively and supports several approaches according to requirements and the capabilities of the particular service. The ForgeRock solution can synchronize entitlements in connected systems based on business roles. This means that users granted a particular role might, for example, become a member of a specific Active Directory (AD) group. The applications relying on this group membership then enforce the policy the application is configured with.

More generally, access control using roles, attributes and contextual information about the current request can be implemented using the ForgeRock authorization engine.

The platform can also leverage roles in existing source systems (for example, an underlying LDAP directory) to provide RBAC.

Policy-Based Access Control (PBAC)

PBAC is achieved through the use of authorization policies, agents and authentication methods. The intuitive ForgeRock policy configuration UI can be used to define flexible authorization policies using a simple drag-and-drop mechanism to implement a wide variety of common PBAC use cases out of the box. Agents are installed to protect target resources that intercept end user access requests and defer to the ForgeRock authorization policy engine for an access decision.

Attribute-Based Access Control (ABAC)

ABAC is achieved through the use of authorization policies and agents and is effectively a subset of PBAC functionality. Authorization policies are configured centrally in such a way as to restrict access based on the attributes a user has. Agents will defer to ForgeRock Access Management (AM) for an access decision before permitting access to a resource.

Risk-Adaptable Access Controls (RAdAC)

RAdAC is achieved with Intelligent Access, delivered through ForgeRock journeys. The nodes within the journey can take account of contextual factors such as location, IP address, device type, network or any other contextual information that is included in the request. Based on the outcome, nodes can be configured for risk calculations, modifications to authentication level, alteration of session properties, and more. Administrators can use digital signals to design a smart login journey that minimizes friction and maximizes security for legitimate users while suspicious users could be denied access or redirected to a sandbox environment for further monitoring.

Relationship-Based Access Control (ReBAC)

ReBAC is achieved through ForgeRock's identity repository model, which most closely aligns with a graph model. The repository comprises managed objects which can maintain one or two-way relationships (pointers) to other managed objects, forming a graph. ForgeRock Access Management (AM) can then be used to apply policy decisions derived from these identity relationships.

See Also

Agents and policies in AM

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.