1 00:00:09,700 --> 00:00:13,000 You're listening to the identity of the center podcast, this is 2 00:00:13,000 --> 00:00:15,600 the show that talks about identity and access management 3 00:00:15,700 --> 00:00:18,600 and making sure you know who has access to what let's get 4 00:00:18,600 --> 00:00:25,500 started. Welcome to the identity of the 5 00:00:25,500 --> 00:00:27,500 center podcast I'm Jeff. And that's Jim. 6 00:00:27,500 --> 00:00:31,100 Hey Jim hey Jeff, how are you? Oh not so bad yourself. 7 00:00:31,400 --> 00:00:35,100 I'm doing good. I've been super busy lately but 8 00:00:35,100 --> 00:00:38,500 I look forward to this time each week where we get the just talk 9 00:00:38,500 --> 00:00:40,800 about identity and access management. 10 00:00:42,200 --> 00:00:45,200 But yeah lately I've been working on you know preparing 11 00:00:45,200 --> 00:00:50,200 for a lot of upcoming events. I'm helping out Mike angle over 12 00:00:50,200 --> 00:00:55,700 at one Cosmos with webinar. It's To be on what? 13 00:00:56,800 --> 00:00:59,600 What happened to MFA? I don't they tried to fix 14 00:00:59,600 --> 00:01:02,100 passwords. How do we fix MFA? 15 00:01:02,100 --> 00:01:06,000 And so it's like kind of one of those topics that is getting a 16 00:01:06,000 --> 00:01:08,700 lot of headlines lately, especially with some of the 17 00:01:09,300 --> 00:01:11,100 things that have happened in the news. 18 00:01:12,300 --> 00:01:16,300 So anybody who's interested in attending that webinar, it's 19 00:01:16,300 --> 00:01:23,800 going to be on September, the 22nd at 1 p.m. eastern time USC. 20 00:01:24,200 --> 00:01:28,300 I'm I should say and you can just go to one Cosmos.com to 21 00:01:28,300 --> 00:01:31,800 register for that event. And like I said, it'll be Mike 22 00:01:31,800 --> 00:01:36,600 angle CEO of one Cosmos on myself and on top of that, we've 23 00:01:36,600 --> 00:01:40,000 got the authenticate conference which is the Fido Alliance 24 00:01:40,000 --> 00:01:44,800 conference coming up in October and then the OCTA octane 25 00:01:44,800 --> 00:01:47,600 conference which will be in November. 26 00:01:47,600 --> 00:01:52,200 So, hopefully will be blessing through a bunch of additional 27 00:01:52,200 --> 00:01:54,100 podcast episodes during those conversations. 28 00:01:54,300 --> 00:01:57,500 Such as well, but I'm also hoping to be able to actually 29 00:01:57,500 --> 00:02:00,400 sit in on some of the sessions because if you check out the 30 00:02:00,400 --> 00:02:03,600 agendas of the conference's, it looks like a lot of good 31 00:02:03,600 --> 00:02:05,600 content. Yeah. 32 00:02:05,600 --> 00:02:07,400 I have not holding my breath especially because we're going 33 00:02:07,400 --> 00:02:12,200 to be at we will be authentic 8, 20, 22, and we'll be doing 34 00:02:12,200 --> 00:02:15,300 podcasting and you're a total slave driver when it comes to 35 00:02:15,600 --> 00:02:18,400 booking guests. So I end up sitting in a room 36 00:02:18,400 --> 00:02:22,800 somewhere recording and editing while you're out gallivanting 37 00:02:22,800 --> 00:02:26,300 with the identi Rowdy but I am hopeful that I will have some 38 00:02:26,300 --> 00:02:32,000 free time from my podcast Overlord here, to get to, you 39 00:02:32,000 --> 00:02:34,700 know, take in some of the sessions at least it. 40 00:02:34,700 --> 00:02:36,100 Jeff. I think this would be a good 41 00:02:36,100 --> 00:02:39,700 time to tell the story about authenticate 2021 because again, 42 00:02:39,700 --> 00:02:42,500 I pretty much tried to do the same thing to you again. 43 00:02:43,400 --> 00:02:48,000 Yeah, well I mean the story is is it's a story as old as time, 44 00:02:48,000 --> 00:02:50,200 right? Jim volunteers to give a 45 00:02:50,208 --> 00:02:52,800 presentation at a Pattaya at a conference. 46 00:02:53,000 --> 00:02:54,100 I'm like, yeah, I don't want to do it. 47 00:02:54,300 --> 00:02:57,600 I will go and support you and you know, help with the content 48 00:02:57,600 --> 00:03:01,100 and kind of stuff like that. And go cheer you on flash 49 00:03:01,100 --> 00:03:03,100 forward to the day that we're flying out. 50 00:03:03,100 --> 00:03:06,500 Jim Jim calls me sick. He's like, yeah, like you 51 00:03:06,500 --> 00:03:08,300 probably shouldn't go. This is the height of the height 52 00:03:08,300 --> 00:03:12,000 of the pandemic, right? If you're coughing, you probably 53 00:03:12,000 --> 00:03:14,100 have covid or at least, that's what ever is going to assume. 54 00:03:14,100 --> 00:03:17,400 So I was like, all right, well, I guess I'm given given the 55 00:03:17,400 --> 00:03:20,500 given the, the talk at the conference which I did and you 56 00:03:20,500 --> 00:03:23,400 totally left me high and dry and I will never let you live it 57 00:03:23,400 --> 00:03:25,900 down. And you continue to volunteer 58 00:03:25,900 --> 00:03:30,000 for for speaking engagements, and my fear is that I end up 59 00:03:30,000 --> 00:03:34,400 having to do it by myself around or something like that. 60 00:03:34,700 --> 00:03:37,700 Yeah, well hey, I was just appointed to because I had 61 00:03:37,700 --> 00:03:41,300 gotten upgraded to first class it was the day before and then I 62 00:03:41,300 --> 00:03:43,500 guess you're most concerned about was that was what was just 63 00:03:43,500 --> 00:03:45,200 worried about. Not the fact that you had to do 64 00:03:45,200 --> 00:03:48,300 the presentation by yourself and by the way I did submit a 65 00:03:48,300 --> 00:03:51,200 question for you to answer. Yeah. 66 00:03:51,300 --> 00:03:52,900 What is I? What is I am? 67 00:03:53,100 --> 00:03:56,000 That's a running joke. We always have whatever company 68 00:03:56,000 --> 00:03:58,800 we have to be working with. Yeah, so we got a bunch of 69 00:03:58,808 --> 00:04:01,200 different things going on. We've got, you got the one 70 00:04:01,200 --> 00:04:03,700 Cosmos webinar you'll be doing. I'll put a link in the show 71 00:04:03,700 --> 00:04:06,500 notes so people can you know if you if you support the podcast 72 00:04:06,500 --> 00:04:09,200 go support Jim I can't make it I'll be on a flight so I'll be 73 00:04:09,200 --> 00:04:12,200 probably listening to it either on the flight or catching it 74 00:04:12,200 --> 00:04:15,300 afterwards but you can register I'm sure they'll be a replay for 75 00:04:15,300 --> 00:04:20,500 that will be assigned a Kate's 2022 in Seattle in October so 76 00:04:20,500 --> 00:04:23,300 hopefully I will get to meet some folks there as well and 77 00:04:23,300 --> 00:04:25,500 then we'll be at the Tain conference at least that's what 78 00:04:25,500 --> 00:04:28,900 we're planning on in San Francisco in November 79 00:04:29,400 --> 00:04:32,100 potentially doing some more podcasting and talking with 80 00:04:32,400 --> 00:04:35,000 interesting folks in the identity world and sort of kind 81 00:04:35,000 --> 00:04:38,700 of covering that event and ya doing that kind of thing. 82 00:04:38,700 --> 00:04:42,500 So I think that's a great segue to lead into our guest, who is 83 00:04:42,500 --> 00:04:44,300 from OCTA. We'll get to that. 84 00:04:44,600 --> 00:04:47,800 His name is Andreas. I gr he's the product and 85 00:04:47,800 --> 00:04:51,200 Engineering leader with OCTA. Welcome to the show Andreas. 86 00:04:52,500 --> 00:04:54,900 Thank you, chef and Jean. Very happy to be here with you 87 00:04:54,900 --> 00:04:57,000 today. Hopefully, I didn't butcher your 88 00:04:57,000 --> 00:05:00,100 last name, too bad. I tried to try to try to get as 89 00:05:00,100 --> 00:05:03,200 right as I can. But you're also joining us from 90 00:05:03,200 --> 00:05:04,200 a country. We have not yet. 91 00:05:04,200 --> 00:05:05,700 Spoken least. I haven't ordered way. 92 00:05:06,100 --> 00:05:09,200 So thank you for joining us from the the southern hemisphere as 93 00:05:09,200 --> 00:05:11,600 well. One of the things that we like 94 00:05:11,600 --> 00:05:13,100 to get into when we have a guest on. 95 00:05:13,100 --> 00:05:16,900 For the first time is to really kind of learn the origin story. 96 00:05:16,900 --> 00:05:20,100 How do people get into identity kind of helped set the context 97 00:05:20,100 --> 00:05:23,100 of kind of your perspective? And And how you approach things. 98 00:05:23,500 --> 00:05:27,000 So I think that maybe to kick off this conversation before we 99 00:05:27,000 --> 00:05:29,900 get to our main topic, which is going to be around fine, grains, 100 00:05:29,900 --> 00:05:33,800 authorizations or fga. Tell us a little bit about your 101 00:05:33,800 --> 00:05:36,100 identity back story. How did you get into its into 102 00:05:36,100 --> 00:05:38,600 this field? Is it something that you chose 103 00:05:38,600 --> 00:05:40,100 or did the identity World? Choose? 104 00:05:40,100 --> 00:05:41,400 You okay. Yeah. 105 00:05:41,500 --> 00:05:45,500 So I mainly work in companies that build developer tools to 106 00:05:45,500 --> 00:05:49,200 become a pro products in the past and so that's my main 107 00:05:49,200 --> 00:05:51,400 background and they always work in. 108 00:05:51,600 --> 00:05:55,000 Those kind of companies and the and five years ago, I had the 109 00:05:55,000 --> 00:05:59,500 opportunity to join dog's ear. I knew both co-founders one 110 00:05:59,500 --> 00:06:02,100 information Tina, which is very close to your work, both from 111 00:06:02,100 --> 00:06:07,200 Argentina, but one of them was working with us and then I have 112 00:06:07,200 --> 00:06:10,900 a chance and I'll see you had that interesting blend of being 113 00:06:10,900 --> 00:06:13,900 a company that Target developers, but also working, 114 00:06:13,900 --> 00:06:17,800 but identity. So I kind of got to identity by 115 00:06:17,900 --> 00:06:21,500 the development tools are the relevant product. 116 00:06:21,800 --> 00:06:26,400 World and and I quickly got into the core of zero. 117 00:06:26,400 --> 00:06:30,300 So building the log in and MFA flows as a product manager. 118 00:06:30,700 --> 00:06:33,200 So I had to get up to speed pretty quickly. 119 00:06:33,300 --> 00:06:36,300 I've been working this domain for almost six years already. 120 00:06:36,700 --> 00:06:41,000 So yeah, that's my journey to Italy, and in the last few 121 00:06:41,000 --> 00:06:43,800 months, I moved to work on the authorization side. 122 00:06:44,300 --> 00:06:49,400 And that is what campus brings us here today and I dress, I 123 00:06:49,400 --> 00:06:54,100 have to give a shout out to My pastor, who is your colleague 124 00:06:54,100 --> 00:06:58,300 from actor and by the way, for anybody who's listening, he's is 125 00:06:58,300 --> 00:07:01,800 a great follow on LinkedIn, and he'd be more than happy. 126 00:07:01,800 --> 00:07:06,400 I think to connect with just about anybody, but he introduces 127 00:07:06,400 --> 00:07:10,300 to you and introduce this idea of something that you're working 128 00:07:10,300 --> 00:07:15,900 on, F G, A fine-grained access. Our fine-grained authorization, 129 00:07:16,300 --> 00:07:21,500 and authorization is such a big topic and identity and access 130 00:07:21,500 --> 00:07:22,200 management. Judgment. 131 00:07:22,200 --> 00:07:25,700 And it's something that people tend to get into as they are 132 00:07:25,700 --> 00:07:28,900 further along in their Journey. So what I thought we could 133 00:07:29,200 --> 00:07:33,500 basically start out with was kind of a 101, you know, talking 134 00:07:33,500 --> 00:07:37,300 about what is authorization. And then one is fine, grained, 135 00:07:37,300 --> 00:07:42,600 authorization, sounds good. So it's basically going to use 136 00:07:42,800 --> 00:07:44,400 authentication and authorization. 137 00:07:44,400 --> 00:07:47,900 So let's start by talking about both authentication. 138 00:07:47,900 --> 00:07:50,900 In general, is to tries to prove that you are. 139 00:07:52,000 --> 00:07:54,200 Specific person right in general. 140 00:07:54,200 --> 00:07:57,200 They kind of, you kind of prove that you are specific person by 141 00:07:57,200 --> 00:07:59,600 logging into a site. But basically, what you're 142 00:07:59,600 --> 00:08:02,900 proving is that the convention that you still have access to 143 00:08:02,900 --> 00:08:06,600 the same credentials that you use when you register for that 144 00:08:06,600 --> 00:08:08,900 site, right? So if I had a phone number a 145 00:08:08,900 --> 00:08:12,600 password email I still have it and I can still provide it as a 146 00:08:12,608 --> 00:08:16,500 proof that I'm the sick person who logged in the encourages to 147 00:08:16,500 --> 00:08:20,500 the site. So authentication authorization 148 00:08:20,500 --> 00:08:24,300 of the other side is More. What are the things that you can 149 00:08:24,300 --> 00:08:27,200 do once you login to that site, right? 150 00:08:27,200 --> 00:08:31,600 So the permissions the actions that I can perform can I perform 151 00:08:31,600 --> 00:08:34,299 this specific actionable specific page or resource or 152 00:08:34,299 --> 00:08:36,500 document that is more about authorization. 153 00:08:36,500 --> 00:08:38,200 The permissions you have your system. 154 00:08:38,900 --> 00:08:43,600 The, for example, that now Twitter, you some people can 155 00:08:43,600 --> 00:08:46,700 reply to specifically, right? So depending of how you treat, 156 00:08:46,700 --> 00:08:49,700 you can say, all the people who are mentioned can reply to the 157 00:08:49,700 --> 00:08:53,300 street when I login. To Twitter and we authorized or 158 00:08:53,300 --> 00:08:56,900 not to reply to a tweet depending on those authorization 159 00:08:56,900 --> 00:09:03,700 policies that Twitter specify in their application with find a 160 00:09:03,700 --> 00:09:06,900 notarization. It's in general, when you or the 161 00:09:07,400 --> 00:09:11,100 initial ways, we implemented authorization in the industry. 162 00:09:11,600 --> 00:09:17,000 Where course training, mainly role-based Access Control, when 163 00:09:17,000 --> 00:09:21,200 you basically decide that. Yeah, this is specific. 164 00:09:21,600 --> 00:09:25,000 We can perform these actions and the actions are very generic. 165 00:09:25,000 --> 00:09:28,800 Like, for example, post a tweet or deleted, tweet, right? 166 00:09:29,200 --> 00:09:33,500 And but it was not posses not possible with role-based access 167 00:09:33,500 --> 00:09:37,500 to specify things like a only. The people who were mentioned in 168 00:09:37,500 --> 00:09:38,900 the Tweet. Can we fight between? 169 00:09:39,500 --> 00:09:43,800 Because it's not enough to say the role you have to order to 170 00:09:43,800 --> 00:09:46,400 decide if you can perform the action or not, right? 171 00:09:46,600 --> 00:09:50,300 So depending on how groundwater the permissions that you need to 172 00:09:50,300 --> 00:09:52,800 specify in your system, you You might need to implement 173 00:09:52,800 --> 00:09:55,300 fine-grained authorization model or a coarse grater. 174 00:09:55,300 --> 00:09:58,200 Authorization model like role-based Access Control. 175 00:09:59,100 --> 00:10:01,500 Yeah, now that's a great introduction. 176 00:10:02,700 --> 00:10:06,200 One of the things that I find is that, you know, sometimes people 177 00:10:06,200 --> 00:10:10,800 get tripped up on, you know, how to use a term. 178 00:10:10,800 --> 00:10:15,600 So, the term rolls gets used by so differently by so many 179 00:10:15,600 --> 00:10:17,800 different folks, and so many different contacts. 180 00:10:17,800 --> 00:10:22,000 Sometimes this product specific sometimes is You know, the 181 00:10:22,000 --> 00:10:26,000 generic term of roles. So you know, using that one term 182 00:10:26,000 --> 00:10:27,600 differently. But then there are other 183 00:10:27,600 --> 00:10:32,000 situations where you have two different terms but they get 184 00:10:32,000 --> 00:10:36,800 confused or used in place of one another. 185 00:10:36,800 --> 00:10:42,100 And for me that's the term authorization and entitlements 186 00:10:42,100 --> 00:10:44,900 and I'm wondering if you kind of help us differentiate between 187 00:10:44,900 --> 00:10:48,600 those two terms. Actually this interesting 188 00:10:48,600 --> 00:10:52,100 because you mentioned this question in our previous 189 00:10:52,100 --> 00:10:56,000 conversations and I say it's hard to explain, right? 190 00:10:56,000 --> 00:10:59,300 So I was trying to try to think a little about how to explain it 191 00:10:59,500 --> 00:11:02,800 and the because at the end of the day it's they are very 192 00:11:02,800 --> 00:11:06,500 related. So entitlements are the things 193 00:11:06,500 --> 00:11:11,100 that the traits of the properties that the user has and 194 00:11:11,100 --> 00:11:14,800 based on that, you defined, if the user is authorized to the 195 00:11:14,800 --> 00:11:17,700 perform an action or not, right? For example, the fact that I 196 00:11:17,700 --> 00:11:20,100 belong to a role is an entitlement. 197 00:11:20,600 --> 00:11:23,900 The fact that From a user, can perform this actually they 198 00:11:23,900 --> 00:11:26,700 belong to that role that is authorized and authorization 199 00:11:26,700 --> 00:11:30,200 code, right? And in general, entitlements can 200 00:11:30,200 --> 00:11:32,100 come from two places. One of a kind of? 201 00:11:32,100 --> 00:11:35,000 Yeah, the themes that you are allowed to roles is an 202 00:11:35,000 --> 00:11:38,900 entitlement, but can only be can also be like a, you are, you're 203 00:11:38,900 --> 00:11:43,400 using a B2B sus product, you're using like the basic tier, the 204 00:11:43,400 --> 00:11:46,500 basic tier can only use some features, okay. 205 00:11:47,100 --> 00:11:48,800 That's also an entitlement, right? 206 00:11:48,900 --> 00:11:52,000 The features that I can use as a users of the Product. 207 00:11:52,300 --> 00:11:56,300 So, there's a lot of things that can that feel like they fit the 208 00:11:56,300 --> 00:11:59,700 profile of that user, that are properties of the use of that 209 00:11:59,700 --> 00:12:02,600 can be, then used for making authorization decisions. 210 00:12:03,300 --> 00:12:06,600 Yeah, here we have a similar question that we did an episode 211 00:12:06,600 --> 00:12:10,700 on similar in style which was what's the difference between 212 00:12:10,700 --> 00:12:13,800 digital identity and identity and access management? 213 00:12:14,000 --> 00:12:19,800 And it's like you know it's actually a deeper answer and 214 00:12:19,800 --> 00:12:21,400 everybody answers it a little bit. 215 00:12:21,500 --> 00:12:23,600 Ali and for me with the entitlements, in the 216 00:12:23,600 --> 00:12:30,100 authorizations, like entitlements are the data and 217 00:12:30,100 --> 00:12:34,300 authorization is the enactment of that data and you know, I 218 00:12:34,300 --> 00:12:37,800 made up that term enactment and then what I realized was you 219 00:12:37,800 --> 00:12:41,700 know, the terms are very important and I kind of thought 220 00:12:41,700 --> 00:12:46,900 back when was thinking about authorization to the exact Kamal 221 00:12:46,900 --> 00:12:49,200 standard, right? I mean that was like that. 222 00:12:49,200 --> 00:12:53,300 Was it for authorization back. In the day and everybody thought 223 00:12:53,300 --> 00:12:56,700 like okay that's the shift that's going to take place. 224 00:12:57,500 --> 00:13:01,000 I wonder really what ever happened with exact Moses still 225 00:13:01,000 --> 00:13:05,300 important are people still you know, does it have a future? 226 00:13:05,600 --> 00:13:09,100 So that's my first question. My second question is, you know 227 00:13:09,700 --> 00:13:14,600 what I liked about exact Mo was that it defined certain roles 228 00:13:14,700 --> 00:13:18,500 within authorization. So you had your policy decision 229 00:13:18,500 --> 00:13:22,200 Point, your policy enforcement point, So, if you think about 230 00:13:22,200 --> 00:13:24,900 it, those are are very important. 231 00:13:24,900 --> 00:13:29,100 Like we're, we're in the chain, are you deciding whether or not 232 00:13:29,100 --> 00:13:33,200 an authorization should succeed? Where are you enforcing that? 233 00:13:33,200 --> 00:13:36,700 Do you want to do that from a central location or within the 234 00:13:36,700 --> 00:13:39,500 application? For example, policy 235 00:13:39,500 --> 00:13:43,100 Administration point. So all of those different roles 236 00:13:43,100 --> 00:13:46,800 have, you know, exact definitions. 237 00:13:46,800 --> 00:13:50,200 I'm wondering when it comes to like the fine-grained 238 00:13:50,200 --> 00:13:52,900 authorization or An authorization in general. 239 00:13:53,000 --> 00:13:55,600 Are those roll names even relevant anymore? 240 00:13:56,000 --> 00:13:59,200 And then, you know, I know, I'm asking a lot of questions. 241 00:13:59,200 --> 00:14:02,900 All combined into one question here, but, you know, I think we 242 00:14:02,900 --> 00:14:06,200 just need to know about this. Like the I am practitioner level 243 00:14:06,200 --> 00:14:07,900 like, what do I actually need to know? 244 00:14:08,200 --> 00:14:11,600 This isn't really like the developer podcast but like, if 245 00:14:11,600 --> 00:14:14,300 I'm somebody who's implementing, I am systems. 246 00:14:14,500 --> 00:14:18,600 What is it about these Concepts that are still relevant today. 247 00:14:19,100 --> 00:14:23,300 But the so I will Sandeep. Into identity when accessible 248 00:14:23,300 --> 00:14:27,500 happens. So I don't know what are the how 249 00:14:27,500 --> 00:14:29,900 it began to become a think I can. 250 00:14:30,900 --> 00:14:35,700 It fair based on the context. So the moment most of the 251 00:14:36,100 --> 00:14:39,800 industry was building XML based specifications for everything, 252 00:14:39,900 --> 00:14:44,100 right? And and, and certainly helps to 253 00:14:44,500 --> 00:14:48,300 Define specification for doing attribute based access control. 254 00:14:48,700 --> 00:14:51,300 That was it, something still very relevant right doing 255 00:14:51,400 --> 00:14:54,100 achieving Basics control, and there wasn't a standard way of 256 00:14:54,100 --> 00:14:58,100 doing it. So excitable specification, try 257 00:14:58,100 --> 00:15:02,500 to feel that boys, and I think that's why it's important to to 258 00:15:02,500 --> 00:15:05,500 Define standard that he had killed people amend this in a 259 00:15:05,500 --> 00:15:08,700 way that is interoperable and, and that companies can use 260 00:15:09,900 --> 00:15:12,900 consistently across different vendors in. 261 00:15:12,900 --> 00:15:15,200 I haven't seen picking it up a lot of steam. 262 00:15:15,200 --> 00:15:18,200 So there's there's a few companies that implemented that, 263 00:15:19,200 --> 00:15:24,200 but if they didn't become Real standard that is widely adopted 264 00:15:24,200 --> 00:15:26,600 by. It is a regular standard but 265 00:15:26,600 --> 00:15:29,500 it's dot divided of industry and the. 266 00:15:29,500 --> 00:15:33,800 And, and right now, for example, in 0dr, we are implementing 267 00:15:33,800 --> 00:15:37,600 motorization products that are not using such as a way to 268 00:15:37,600 --> 00:15:41,200 specify permissions and the industry they're having other 269 00:15:41,200 --> 00:15:43,400 approaches. There's a product called open 270 00:15:43,400 --> 00:15:46,400 policy, Asian that is very successful in managing 271 00:15:46,400 --> 00:15:50,100 permissions for for infrastructure things, right? 272 00:15:50,800 --> 00:15:53,800 Yes, that That defines policies in a different way and it has 273 00:15:53,800 --> 00:15:56,000 become like a de facto standard for defining. 274 00:15:56,000 --> 00:15:59,500 Authorization policy is not context and the, and it's not 275 00:15:59,500 --> 00:16:03,300 using exactly, right? So, so from that perspective, I 276 00:16:03,300 --> 00:16:06,600 think it's is that was an interesting attempt by the 277 00:16:06,608 --> 00:16:12,600 industry, but we didn't pick up enough or they have enough spare 278 00:16:13,200 --> 00:16:16,200 an option to to be significantly less relevant. 279 00:16:16,200 --> 00:16:22,000 Today, that's my personal opinion, the in the Like, the 280 00:16:22,000 --> 00:16:26,400 different enforcement different enforcement Point decision 281 00:16:26,400 --> 00:16:30,400 points that exactly Define those concepts are still relevant. 282 00:16:30,400 --> 00:16:34,300 So, there's a place where you need to enforce your physician 283 00:16:34,300 --> 00:16:37,800 policy and it can be in the application can be in an API 284 00:16:37,800 --> 00:16:41,800 Gateway, and then, whatever you decide you can be in an API 285 00:16:41,800 --> 00:16:44,000 proxy. So it'll be a different places 286 00:16:44,300 --> 00:16:49,200 where you can decide where you want to call the code. 287 00:16:49,200 --> 00:16:51,200 That is going to enforce the policy. 288 00:16:51,400 --> 00:16:54,400 Right based on to decide if the user can log in or not, right? 289 00:16:54,600 --> 00:16:58,500 So you have elected enforcement point, which is, yeah, if I'm 290 00:16:58,500 --> 00:17:02,300 building application in the chat with just with code, I will be 291 00:17:02,300 --> 00:17:05,300 at the beginning of my API implementation, right? 292 00:17:05,300 --> 00:17:07,000 That is the case. I will be checked if the 293 00:17:07,000 --> 00:17:11,000 provision in the users permission to perform the action 294 00:17:11,000 --> 00:17:14,000 about, then you have the decision point, which will be 295 00:17:14,000 --> 00:17:16,599 okay if I'm using an external eyes for Lizzie. 296 00:17:16,599 --> 00:17:20,400 And Jane, I will call at that moment, a different service that 297 00:17:20,400 --> 00:17:22,800 is going to tell me. That is the use of company from 298 00:17:22,800 --> 00:17:26,599 the actual amount that will be the only decision point for him 299 00:17:26,900 --> 00:17:29,800 and that if I'm building an application with without an 300 00:17:29,800 --> 00:17:34,200 externalized addition policy Engine with vision point is 301 00:17:34,200 --> 00:17:37,900 going to be also in cold right? I wanted right myself like after 302 00:17:39,200 --> 00:17:41,900 in the same routine that I'm checking the user can perform an 303 00:17:41,900 --> 00:17:44,900 action, I'm going to ask you to use a positive role, right? 304 00:17:44,900 --> 00:17:47,900 And that will be the decision party will be in code so it can 305 00:17:47,900 --> 00:17:51,300 be different places depending on how you want to architect your 306 00:17:51,400 --> 00:17:54,100 And other Concepts, they are our Administration. 307 00:17:54,100 --> 00:17:55,600 There, only thing ministration point. 308 00:17:55,600 --> 00:17:59,900 If you are using a product that policies are not in cold, you 309 00:17:59,900 --> 00:18:01,900 need a way to manage those. Right? 310 00:18:02,100 --> 00:18:07,100 That's still the case, right? If you using any service to 311 00:18:07,100 --> 00:18:10,800 manage to manage your voltage protection policies, you need a 312 00:18:10,800 --> 00:18:13,900 way to meet and to manage them right before we see a nutrition 313 00:18:13,900 --> 00:18:17,200 point, and then you have the policy information point, you 314 00:18:17,200 --> 00:18:19,600 need data to make those decisions, all right? 315 00:18:19,600 --> 00:18:23,200 Who's going to get that data? Okay, that's to all of those 316 00:18:23,200 --> 00:18:26,100 Concepts still exist in a simple app. 317 00:18:26,200 --> 00:18:28,600 They can be all in the code, right? 318 00:18:28,700 --> 00:18:31,000 But in more sophisticated architecture where you want to 319 00:18:31,008 --> 00:18:33,900 decouple those things. Yes, those are going to be in 320 00:18:33,900 --> 00:18:38,200 the in different services that can manage sometimes all of them 321 00:18:38,200 --> 00:18:42,200 together, sometimes one for each of these points, right? 322 00:18:42,500 --> 00:18:46,000 You may have a tool to - fall into the nailer to do to handle 323 00:18:46,000 --> 00:18:49,700 the data and another to handle the decision and, and the so 324 00:18:49,800 --> 00:18:53,000 yeah. DB still relevant and useful. 325 00:18:53,100 --> 00:18:56,700 To reason about how authorization is implemented on 326 00:18:56,700 --> 00:18:58,900 a protected in the system. Yeah. 327 00:18:58,900 --> 00:19:02,300 So when you're putting together that architecture diagram of how 328 00:19:02,700 --> 00:19:07,900 you're doing authorization those terms and kind of identifying, 329 00:19:07,900 --> 00:19:12,000 those points are so important. Yeah, have a kind of a long 330 00:19:12,000 --> 00:19:17,100 history in the access management side if I and kind of thinking 331 00:19:17,100 --> 00:19:21,300 about how a lot of access management systems Worked, you 332 00:19:21,300 --> 00:19:23,100 know, pre-op. Today's right. 333 00:19:23,100 --> 00:19:26,100 So, it was that were coals and site minders. 334 00:19:26,300 --> 00:19:32,100 And the most commonly used integration pattern was you 335 00:19:32,100 --> 00:19:37,400 would install an agent. A filter on your web server, 336 00:19:37,400 --> 00:19:43,400 your Java server or your is server for example and it would 337 00:19:44,100 --> 00:19:49,700 filter requests every HTTP request and those systems became 338 00:19:49,700 --> 00:19:53,200 good at Kind of coarse-grained authentication which was that 339 00:19:53,200 --> 00:19:57,700 the level of you know, this subdirectory or you know, 340 00:19:57,700 --> 00:20:02,100 basically using your L filtering like you either have access to 341 00:20:02,100 --> 00:20:07,200 it or you don't which kind of led me to my next question, 342 00:20:07,200 --> 00:20:08,900 right? Because that's not the way 343 00:20:08,900 --> 00:20:12,000 applications are built today at, all right, through there, 344 00:20:12,000 --> 00:20:18,800 primarily using open ID, connect or summer, using sam'l, but it's 345 00:20:18,800 --> 00:20:22,800 still ultimately. Order to get to that that level 346 00:20:22,800 --> 00:20:26,300 of fine-grained authentication or authorization. 347 00:20:26,900 --> 00:20:31,200 I should say, is generally, passing data to the application. 348 00:20:31,200 --> 00:20:35,100 And the enforcement point is that the application Level, I'm 349 00:20:35,100 --> 00:20:39,200 wondering with fine-grained authorization, you know, is it 350 00:20:39,200 --> 00:20:48,500 dependent on any of the specific authentication Technologies or, 351 00:20:48,700 --> 00:20:53,600 you know, like sam'l or Nid connect like is f, g, a 352 00:20:53,600 --> 00:21:00,300 required, requiring one or one of those standards to ride on 353 00:21:00,300 --> 00:21:05,900 top of and then ultimately is the data that's coming from fga 354 00:21:06,900 --> 00:21:10,100 taking over any of the like decision point or enforcement 355 00:21:10,100 --> 00:21:13,700 point, or is it still coming back to the application to 356 00:21:13,700 --> 00:21:16,900 enforce? Okay, this person has access to 357 00:21:16,900 --> 00:21:19,400 this button, I'm going to show them the button. 358 00:21:20,200 --> 00:21:24,900 Cetera. Okay, so when we talk about ABC, 359 00:21:24,900 --> 00:21:30,700 a there are kind of two main ways of implementing a ga one is 360 00:21:30,700 --> 00:21:33,300 called a buck attribute based access control. 361 00:21:33,300 --> 00:21:34,600 And the other one is called agree. 362 00:21:34,600 --> 00:21:39,200 Back relationship based at this control and in both cases, what 363 00:21:39,200 --> 00:21:44,600 you end up relying to is on an identifier that you get from 364 00:21:46,300 --> 00:21:48,600 whatever way you ended up knowing the into the application 365 00:21:48,600 --> 00:21:51,200 if you are using On ivp. Who do I? 366 00:21:51,208 --> 00:21:55,600 DC, you're going to get subject from the ID token or the access 367 00:21:55,600 --> 00:21:58,600 token, and you want to use that as the user ID, right? 368 00:21:58,800 --> 00:22:02,600 And then you're going to, for example, if you use a back, a 369 00:22:02,600 --> 00:22:05,500 bike is activates as a control and you're going to probably 370 00:22:05,500 --> 00:22:09,300 required data from your database to decide if the user can 371 00:22:09,300 --> 00:22:12,000 perform an action. So let's say you want to 372 00:22:12,100 --> 00:22:14,700 approve. You have an endpoint that you 373 00:22:14,700 --> 00:22:19,300 want to approve if a user can verify for you. 374 00:22:19,300 --> 00:22:21,600 So kind of An expense report, right? 375 00:22:21,700 --> 00:22:24,200 So the usage standpoint is approved to support. 376 00:22:24,200 --> 00:22:26,300 You need to check that the user has permission to do that. 377 00:22:27,500 --> 00:22:31,000 You will need to know if the user can directly see if expense 378 00:22:31,000 --> 00:22:33,900 report, not any extension cord to do that. 379 00:22:33,900 --> 00:22:35,600 You need data, are you need to know? 380 00:22:35,600 --> 00:22:39,700 For example, is the, the person who submitted the expense report 381 00:22:40,100 --> 00:22:44,300 is, is a direct report of the person, who is approving. 382 00:22:45,100 --> 00:22:46,400 So that could be a huge skate, right? 383 00:22:46,400 --> 00:22:49,200 So I can only approve expense reports from my direct reports. 384 00:22:49,900 --> 00:22:53,400 Need to check if the in the submitted of that expense report 385 00:22:53,400 --> 00:22:57,500 is a direct report from the user that is submitted, I've proven 386 00:22:57,500 --> 00:23:00,000 it. So the to do that, I go to the 387 00:23:00,000 --> 00:23:04,100 database, I get the data and the and then I decide if I want to 388 00:23:04,400 --> 00:23:08,100 let the user approve, the expense or not, you know, that I 389 00:23:08,100 --> 00:23:10,900 get the user ID that I got from the ID token. 390 00:23:10,900 --> 00:23:15,000 And I go to my bed, I use and find if that user ID is the 391 00:23:15,000 --> 00:23:17,000 manager of the submitter of the report. 392 00:23:17,100 --> 00:23:19,400 And if that's the case, then I let him go. 393 00:23:20,200 --> 00:23:24,500 So from that perspective is I'm you doing fighting for position 394 00:23:24,500 --> 00:23:28,300 and relying on whatever user ID was provided to me, that's fine. 395 00:23:29,000 --> 00:23:31,500 There are other ways to implementing regulation with 396 00:23:31,500 --> 00:23:34,600 like relationship based Access Control those. 397 00:23:34,600 --> 00:23:38,400 The, their active products try to do that today and mostly 398 00:23:38,400 --> 00:23:42,000 inspired the implementation by Google called Google design 399 00:23:42,000 --> 00:23:44,900 similar. So, Google's published a paper, 400 00:23:44,900 --> 00:23:48,300 how they did their internal authorization service which was 401 00:23:48,300 --> 00:23:51,000 called groups and simmer. The We got works, is you 402 00:23:51,000 --> 00:23:54,200 specified relationship between different entities. 403 00:23:54,200 --> 00:24:01,200 So you can say this user is the manager of this under user, this 404 00:24:01,700 --> 00:24:05,300 user it was the submitter of this country port and their use 405 00:24:05,300 --> 00:24:07,900 the user ID is that were provided by your IDP, right? 406 00:24:08,100 --> 00:24:12,000 So in any case you are bound to specific authentication method, 407 00:24:12,000 --> 00:24:16,100 you can use any way to authenticate and still do fine 408 00:24:16,100 --> 00:24:19,300 game creation with a vac or with relation babe. 409 00:24:20,000 --> 00:24:22,300 Three back, right? So both work does the 410 00:24:22,300 --> 00:24:27,200 application development need to be developed with fga in mind, 411 00:24:27,300 --> 00:24:31,800 or can you take an application that was developed previously 412 00:24:31,800 --> 00:24:36,900 and integrated into an f g? A based framework, if you think, 413 00:24:36,900 --> 00:24:41,600 especially as a generic term then and let's say you are you 414 00:24:41,600 --> 00:24:44,200 have an application built with role-based Access Control, 415 00:24:44,300 --> 00:24:46,500 right? And then you have this is an 416 00:24:46,500 --> 00:24:52,000 area where you want to approve the expense on If the user 417 00:24:52,000 --> 00:24:58,100 disapproving, it is the manager of Gregor submitted a report. 418 00:24:58,800 --> 00:25:04,100 The you can just do an extra query in that method, right? 419 00:25:04,100 --> 00:25:06,900 And and then then you're going to have funding for Education, 420 00:25:07,300 --> 00:25:09,400 okay? So find Reference Station is 421 00:25:09,400 --> 00:25:14,000 kind of, I don't rely just on role-based data. 422 00:25:14,200 --> 00:25:18,700 I I need to know data about the specific resource. 423 00:25:18,900 --> 00:25:22,600 I'm Changing or an actin on to make a decision. 424 00:25:22,800 --> 00:25:26,700 So from that perspective, it can be usually most role-based 425 00:25:26,700 --> 00:25:29,800 interpretations today, end up doing some kind of a back 426 00:25:29,800 --> 00:25:33,200 because at some moment, they need to make a decision about 427 00:25:34,200 --> 00:25:36,800 the specific resource of the Pacific record that the user can 428 00:25:36,800 --> 00:25:39,600 access, okay? So from that perspective, is 429 00:25:40,500 --> 00:25:44,800 there's nothing to change and it's it's a way to gradually go 430 00:25:44,800 --> 00:25:48,700 from role-based access to attribute based access by adding 431 00:25:48,700 --> 00:25:51,900 more queries on your product. Now, if you want to build a more 432 00:25:51,900 --> 00:25:54,700 sophisticated instrumentation of attribute based access control 433 00:25:54,700 --> 00:25:58,100 and you want to do, for example, a policy based Access Control 434 00:25:58,100 --> 00:26:02,000 where the definition of that access policy is subsiding 435 00:26:02,000 --> 00:26:06,200 product at some of the code then, yes, you would need to 436 00:26:06,200 --> 00:26:07,900 architect your application differently. 437 00:26:07,900 --> 00:26:11,000 The find operation policy somewhere else in an external 438 00:26:11,000 --> 00:26:15,100 tool or product, right? And then from your code, call 439 00:26:15,100 --> 00:26:17,900 those policies that implies. Yeah. 440 00:26:17,900 --> 00:26:20,700 You can do that gradually. But it's a Change on your 441 00:26:20,700 --> 00:26:23,400 application. And that, if you are using a 442 00:26:23,400 --> 00:26:27,200 product that is relationship based access control, the weight 443 00:26:27,200 --> 00:26:31,300 loss product works, is that they need the data of how users are 444 00:26:31,300 --> 00:26:34,500 related between themselves and with the different entities to 445 00:26:34,500 --> 00:26:38,200 make a decision. So, you know, so you need to put 446 00:26:38,200 --> 00:26:43,300 all push all the data from your existing systems into those FCA 447 00:26:43,300 --> 00:26:46,800 stores, so then they can make the decision, right? 448 00:26:46,800 --> 00:26:51,600 If you that, and that is that also, Quite see ya thinking with 449 00:26:51,800 --> 00:26:55,500 that way because requires a lot of work to get all the data in 450 00:26:55,500 --> 00:26:59,200 that system, to then be able to call it and that we low latency 451 00:26:59,200 --> 00:27:03,100 from your endpoints, right? I think that's where it's so 452 00:27:03,100 --> 00:27:04,900 data. Dependent sounds like to me and 453 00:27:04,900 --> 00:27:08,000 you can feel free to educate me on this, but I think of things 454 00:27:08,000 --> 00:27:11,700 like our back P. Back a back. 455 00:27:12,300 --> 00:27:15,200 We talked with K back, knowledge base with indication you 456 00:27:15,200 --> 00:27:18,500 mentioned reback, relationship based authentication, which 457 00:27:18,600 --> 00:27:22,200 maybe is the same sort of thing. We settled on a acronym for it, 458 00:27:22,500 --> 00:27:26,300 but the underlying pinning for all this is the quality of the 459 00:27:26,300 --> 00:27:29,500 data and the amount of data to be able to make those sorts of 460 00:27:29,500 --> 00:27:32,000 decisions. Judging by the name 461 00:27:32,000 --> 00:27:35,200 fine-grained, you know, authorization, I'm assuming that 462 00:27:35,200 --> 00:27:38,900 we need to have a lot of, you know, metadata to be able to 463 00:27:38,900 --> 00:27:43,100 make these sorts of decisions. You mentioned the ability to 464 00:27:43,200 --> 00:27:45,900 make these decisions and more real-time format, which I think 465 00:27:45,900 --> 00:27:48,600 is kind of where the direction of a back typically goes. 466 00:27:49,100 --> 00:27:51,400 We know about, A lot of struggles that organizations 467 00:27:51,400 --> 00:27:55,500 have with our back and trying to get roles implemented from your 468 00:27:55,500 --> 00:27:58,500 perspective. Where do you see f g a kind of 469 00:27:58,500 --> 00:28:01,900 fitting into that world of you know, organizations. 470 00:28:01,900 --> 00:28:03,600 They say they want to be role-based Access Control. 471 00:28:03,600 --> 00:28:05,400 Okay, great. And then they realize how hard 472 00:28:05,400 --> 00:28:07,400 it is and they sort of like stumble through it in the maybe 473 00:28:07,400 --> 00:28:12,300 they settle on attribute based access control is fga. 474 00:28:12,300 --> 00:28:17,500 Basically taking attribute based Access Control to the next level 475 00:28:17,500 --> 00:28:20,700 by having just more. To be able to make those 476 00:28:20,700 --> 00:28:22,800 decisions. Or does it fit somewhere else 477 00:28:22,800 --> 00:28:25,300 within that sort of that ecosphere, of different 478 00:28:25,300 --> 00:28:29,200 authorization models? Yeah, so just to clarify their 479 00:28:29,200 --> 00:28:31,200 interview. So attribute based access 480 00:28:31,200 --> 00:28:35,700 control is at GA, okay? So, because it's not coarse 481 00:28:35,700 --> 00:28:38,900 grain in the sentence of all only talking about the roles 482 00:28:39,300 --> 00:28:40,700 you. When you talk about an 483 00:28:40,700 --> 00:28:44,500 attribute, then the ultimate can be as like fine grained as the 484 00:28:44,500 --> 00:28:47,000 specific document. So you have a permission for a 485 00:28:47,000 --> 00:28:49,800 specific document, you can build that with a bat. 486 00:28:50,300 --> 00:28:54,400 Fermentation, right? If you want to use a VGA with re 487 00:28:54,600 --> 00:28:58,600 re re re back implementation relationship-based, then the 488 00:28:58,600 --> 00:29:02,000 Reebok ancient, we will need all the data to make the decisions. 489 00:29:02,500 --> 00:29:06,800 So maybe explain a little more, how that Reebok works and 490 00:29:06,800 --> 00:29:09,600 decency. Work mode works to this to make 491 00:29:09,600 --> 00:29:12,800 more sense. So the way through Google had a 492 00:29:12,800 --> 00:29:17,900 problem back in the in the think they did this initially for 493 00:29:17,900 --> 00:29:24,200 Google+, which I It's probably early 2010, 2012, something 494 00:29:24,200 --> 00:29:26,500 around the date, right? And they decided they want to 495 00:29:26,500 --> 00:29:30,400 build an externalized, Sprite to manage population, and they end 496 00:29:30,400 --> 00:29:34,100 up building service that they use for all products in Google. 497 00:29:34,600 --> 00:29:38,000 So each time you share a document in Google with specific 498 00:29:38,000 --> 00:29:41,400 person, you are writing a feel at beta, some data into the 499 00:29:41,400 --> 00:29:47,600 Sunset Bar annotation and why what it needed to do that for 500 00:29:47,600 --> 00:29:49,400 two reasons. First, they wanted to have a 501 00:29:49,408 --> 00:29:54,500 consistent isn't way to define a manage authorization across 502 00:29:54,500 --> 00:29:58,000 Google for all products. In most cases, what happens 503 00:29:58,000 --> 00:30:00,100 today is like a URL to a company. 504 00:30:00,100 --> 00:30:03,500 There are 10 20 teams they need to build for ization. 505 00:30:03,500 --> 00:30:06,600 They do it all your different way and the and in this case, 506 00:30:06,600 --> 00:30:10,600 what we will say is we want a consistent way, same apis, same 507 00:30:10,600 --> 00:30:13,300 thing where you thinking for all of our teams, okay? 508 00:30:13,800 --> 00:30:18,700 And and then, they also needed to scale for Google Docs and so 509 00:30:19,000 --> 00:30:22,100 each time you Of P permission to someone that if someone else 510 00:30:22,100 --> 00:30:25,200 wants to access the document that needs to be very fast, very 511 00:30:25,200 --> 00:30:28,300 low latency High availability, right? 512 00:30:28,300 --> 00:30:31,400 So we need to build product that help doing that. 513 00:30:32,200 --> 00:30:35,900 The issue with a back is that in a but you need to go and get the 514 00:30:35,900 --> 00:30:38,400 data yourself. And it's usually happens in your 515 00:30:38,400 --> 00:30:41,400 existing transactional databases, right? 516 00:30:41,600 --> 00:30:45,800 So I want to know who is the manager of the this user need to 517 00:30:45,800 --> 00:30:47,900 be two. Adjoining some table, right? 518 00:30:48,600 --> 00:30:51,200 Check the expense report data. I'll look at the expense report 519 00:30:51,200 --> 00:30:54,400 tail and the and make you thinking for World up, like a 520 00:30:54,408 --> 00:30:57,200 service calls, another service, we could go to another service. 521 00:30:57,200 --> 00:30:59,100 Each of those areas need to do the same. 522 00:30:59,300 --> 00:31:02,200 Sometimes the same database queries, something different, 523 00:31:02,200 --> 00:31:04,800 sometimes the different services, that adds a lot of 524 00:31:04,800 --> 00:31:09,600 latency, a lot of potential points of failure, like any of 525 00:31:09,600 --> 00:31:14,000 those Services down, there is very low impact that API call. 526 00:31:14,500 --> 00:31:19,700 So, what Google said is to be able to make those decisions in 527 00:31:19,700 --> 00:31:22,500 a way. That is scalable, no, latency 528 00:31:22,500 --> 00:31:24,100 and reliable. We need the data. 529 00:31:24,500 --> 00:31:27,000 So we cannot rely on the developers. 530 00:31:27,000 --> 00:31:29,900 Only Kermit people who's implementing this, go and get 531 00:31:29,900 --> 00:31:32,200 the data. At the moment of evaluation, we 532 00:31:32,200 --> 00:31:35,800 need to have the data before. So, what they Define, it's a 533 00:31:35,808 --> 00:31:39,600 model where you provide to us and see our store. 534 00:31:39,900 --> 00:31:43,900 Tuples that basically say this user is a member of the strong 535 00:31:44,300 --> 00:31:46,400 this user can write this document. 536 00:31:46,400 --> 00:31:49,200 This role can write this document and things like that, 537 00:31:49,300 --> 00:31:51,500 right? This group can write this file 538 00:31:51,500 --> 00:31:55,800 into this folder so they are policies, permissions that you 539 00:31:55,800 --> 00:31:58,900 assigned to different entities into different resources. 540 00:31:59,300 --> 00:32:03,800 And based on that when you need to ask can chef at this document 541 00:32:03,900 --> 00:32:07,800 it will say yes or no yes or no, depending on the folder, they 542 00:32:07,808 --> 00:32:10,200 were comedy is the group you are the road, you have the 543 00:32:10,200 --> 00:32:12,900 organization, you belong to things, right? 544 00:32:13,200 --> 00:32:15,700 And that so that is that I could be like, a bit 545 00:32:15,900 --> 00:32:20,300 relationship-based, FC, a model and which is the That I'm 546 00:32:20,300 --> 00:32:24,900 working on in after and the and then there's a few people trying 547 00:32:24,900 --> 00:32:27,200 to build the same kind of intimidation, right? 548 00:32:27,500 --> 00:32:30,100 Which is trying to solve that problem and that problem 549 00:32:30,100 --> 00:32:33,300 requires the data and then one of the problems of people 550 00:32:33,300 --> 00:32:36,400 amending a solution like this is that you need to get all the 551 00:32:36,400 --> 00:32:40,300 data into the store which might be challenging depending on your 552 00:32:40,600 --> 00:32:44,500 architecture, your project. It sounds like what you're 553 00:32:44,500 --> 00:32:47,300 describing to me. Sounds awful lot like a 554 00:32:47,308 --> 00:32:50,600 Knowledge Graph essentially. Yes, and building a centralized 555 00:32:50,600 --> 00:32:54,100 repository of all this data is that the is that the gist of 556 00:32:54,100 --> 00:32:55,700 this? Is there needs to be some sort 557 00:32:55,700 --> 00:33:01,200 of Central master database, table, graph, whatever 558 00:33:01,200 --> 00:33:03,700 technology, right, as being blockchain, as much as I hate to 559 00:33:03,700 --> 00:33:07,100 use that word, right? We're all this data is basically 560 00:33:07,100 --> 00:33:13,400 stored centralized kept up to date and then leveraged as the 561 00:33:13,600 --> 00:33:16,800 Of source for these sorts of decisions when it comes to 562 00:33:17,000 --> 00:33:20,000 authorization is that? Yes, and accurate way to portray 563 00:33:20,000 --> 00:33:21,300 it. Yes. 564 00:33:21,400 --> 00:33:24,300 And I need to know that we need all the data, right? 565 00:33:24,300 --> 00:33:28,600 We just need the minimal data possible to make this analysis 566 00:33:28,600 --> 00:33:31,000 of decisions. For example, recognition know, 567 00:33:31,300 --> 00:33:36,700 back, when I need to know this document ID is is in this folder 568 00:33:36,700 --> 00:33:39,000 ID, right. I don't need to know the content 569 00:33:39,000 --> 00:33:42,500 of the document, the title document, nothing else, right? 570 00:33:42,600 --> 00:33:45,700 So chefs there. The IDS of the relate of the 571 00:33:45,700 --> 00:33:50,300 entities and how they are related with right and the and 572 00:33:50,300 --> 00:33:53,600 with that you can make good decisions in a way that is very 573 00:33:53,600 --> 00:33:55,900 fast. Scalable glorious event. 574 00:33:55,900 --> 00:33:58,000 And there's so that that is what what? 575 00:33:58,400 --> 00:34:01,400 And that is kind of the the new kid on the Block right over, how 576 00:34:01,400 --> 00:34:05,800 to build authorization today and what what, what is a lot of 577 00:34:05,800 --> 00:34:08,800 companies are trying to implement this after Google, did 578 00:34:08,800 --> 00:34:11,300 it? There were a lot of other 579 00:34:11,300 --> 00:34:13,100 companies that try to do similar things. 580 00:34:13,100 --> 00:34:17,000 We like, BRB Expedia car that they are all, give their all 581 00:34:17,000 --> 00:34:20,000 flavors of something. It is and that's what kind of 582 00:34:20,699 --> 00:34:25,000 gave up gave us kind of more certainty to try to follow this 583 00:34:25,000 --> 00:34:28,800 path because it seems like a it was a good path to take. 584 00:34:29,100 --> 00:34:31,400 And that the challenge for us was that we need wanted to build 585 00:34:31,400 --> 00:34:33,800 access product, right? So it's not a product that 586 00:34:33,800 --> 00:34:36,600 you're going to put Bill itself and host inside your company, 587 00:34:36,900 --> 00:34:39,500 that is tuned for your specific scenario. 588 00:34:39,500 --> 00:34:42,300 We need the product that you bring any wood, could use and 589 00:34:42,300 --> 00:34:45,699 anywhere could Define the their own entities and relationships. 590 00:34:47,500 --> 00:34:50,100 A lot of the use cases that you just described and even kind of 591 00:34:50,100 --> 00:34:52,500 the companies that have gone down this path are 592 00:34:52,600 --> 00:34:57,500 consumer-focused, is that really sort of the intention for f g. 593 00:34:57,500 --> 00:35:00,700 A is it is it more of a consumer-focused sort of 594 00:35:00,700 --> 00:35:02,600 approach. You did talk about some 595 00:35:02,600 --> 00:35:05,900 potential you know use cases inside a little calm like 596 00:35:05,900 --> 00:35:08,500 Enterprise use cases. But I don't know if most 597 00:35:08,500 --> 00:35:10,100 Enterprises are to the maturity level. 598 00:35:10,100 --> 00:35:16,200 At this point to be able to have the the number quality of 599 00:35:16,200 --> 00:35:17,700 attributes. Get to make some of these 600 00:35:17,700 --> 00:35:20,300 decisions. I guess where do you see sort of 601 00:35:20,300 --> 00:35:22,700 like the main use case for fga at this point? 602 00:35:23,300 --> 00:35:26,700 Yeah. So We've been talking to a lot 603 00:35:26,700 --> 00:35:30,000 of companies and that is that you want to do and something 604 00:35:30,000 --> 00:35:33,500 that is and most of the use cases are B2 Visa scenarios. 605 00:35:34,500 --> 00:35:37,400 If you think about the B2B SAS, it's interesting because you 606 00:35:37,408 --> 00:35:41,500 need, when you start your first version of a B2B such product, 607 00:35:42,000 --> 00:35:46,000 you probably don't have like a we have an admin role and a user 608 00:35:46,000 --> 00:35:49,900 role and and that's enough for be 1, right? 609 00:35:50,100 --> 00:35:53,100 And after that application involves and you start getting 610 00:35:53,100 --> 00:35:56,700 more sophisticated customers, there are Ask you for more 611 00:35:56,700 --> 00:35:59,900 sophistication, how you manage permissions together, right? 612 00:36:00,000 --> 00:36:01,900 So, first time I asked you, I want Rose. 613 00:36:02,000 --> 00:36:05,200 Then I ask, you know, I want to actually Implement find an 614 00:36:05,200 --> 00:36:08,200 authorization, which is the producers can access different 615 00:36:08,200 --> 00:36:11,500 specific documents, and folders depending on who they are and 616 00:36:11,500 --> 00:36:17,200 things like that, right? So and so in our view, every B2B 617 00:36:17,200 --> 00:36:20,800 sales company will eventually need to implement finding 618 00:36:20,800 --> 00:36:25,100 authorization in the products because that's what customers. 619 00:36:25,300 --> 00:36:28,300 Their Enterprise customers are asking them, right? 620 00:36:28,500 --> 00:36:31,900 And and the initially maybe the smaller customers want when they 621 00:36:31,900 --> 00:36:35,200 want to go kind of Upstream in the cotton, the size of the 622 00:36:35,200 --> 00:36:38,200 companies they are requiring, those kind of permissions. 623 00:36:39,100 --> 00:36:42,800 So so yes. So we see a lot of a lot of 624 00:36:43,100 --> 00:36:46,300 opportunity there for me to be such companies to implement 625 00:36:46,300 --> 00:36:51,000 cyclization and also like a initially in inevitably such 626 00:36:51,000 --> 00:36:54,100 product. By definition, you have like a 627 00:36:54,500 --> 00:36:58,000 one attribute Which is their tenant of the customer right 628 00:36:58,300 --> 00:37:01,200 that that the Sailor Gates information, right? 629 00:37:01,200 --> 00:37:04,500 So if you're an admin of an organization, you cannot see 630 00:37:04,500 --> 00:37:06,600 data from another organization, right? 631 00:37:07,000 --> 00:37:11,000 So that is already a biker, a little fine-grained in the sense 632 00:37:11,000 --> 00:37:13,300 that is, you cannot model that just withdrawals. 633 00:37:13,600 --> 00:37:16,200 You need to also have at least one attribute, which is the 634 00:37:16,207 --> 00:37:19,500 organization that the user belongs to write to filter data 635 00:37:19,700 --> 00:37:22,300 depending on that. And then and then it gets more 636 00:37:22,300 --> 00:37:25,200 complex like a, you want to be the team. 637 00:37:25,300 --> 00:37:28,700 Teams like a have people, which I have two folders and then they 638 00:37:28,700 --> 00:37:30,800 want to share documents with with themselves with different 639 00:37:30,800 --> 00:37:33,600 permissions. So it gets more complex in a lot 640 00:37:33,600 --> 00:37:36,300 of those p2b scenarios and product like this. 641 00:37:36,300 --> 00:37:39,400 Kind of makes sense and dryer cycle. 642 00:37:40,300 --> 00:37:43,400 Oh my God, I just couldn't help. I mean, we're on audio only 643 00:37:43,400 --> 00:37:47,400 podcast but we have our cameras on couldn't help, but notice you 644 00:37:47,400 --> 00:37:53,500 have a shirt on this as open f, g a, and you talk to us a little 645 00:37:53,500 --> 00:37:56,800 bit about what that is. I'm assuming that's part of your 646 00:37:56,800 --> 00:38:01,700 mission in life at the moment, so Co and milk. 647 00:38:03,000 --> 00:38:05,200 I'll tell you, it was acquired by October and couple of years 648 00:38:05,200 --> 00:38:09,100 ago and the end at the moment, we were building a product for 649 00:38:09,400 --> 00:38:14,800 solving find an authorization and the 0, it has more the 650 00:38:14,800 --> 00:38:18,700 developer brand. And so we ended up naming our 651 00:38:18,700 --> 00:38:22,600 initial project out 0ga, even if it was already part of vodka. 652 00:38:23,200 --> 00:38:27,300 And then and and then we decided to open source it. 653 00:38:27,700 --> 00:38:31,200 Okay, so right now I'm working in my mission in life is to 654 00:38:31,200 --> 00:38:34,500 products one. Is called oxidative GA and 655 00:38:34,500 --> 00:38:36,000 another one that is called open up. 656 00:38:36,000 --> 00:38:39,200 See a opening gav open source version 2.0 GPA. 657 00:38:39,200 --> 00:38:44,400 We use open appreciated peeled also York, CA and the and the 658 00:38:45,100 --> 00:38:48,300 and the goal is that. Yes, we we want to be able to 659 00:38:48,308 --> 00:38:52,700 open a ga with the industry. We think that a product like, 660 00:38:52,700 --> 00:38:56,600 this is gonna be very important moving forward for building 661 00:38:56,600 --> 00:39:00,300 authorization. And in, in all of these cases 662 00:39:00,300 --> 00:39:04,700 we've been discussing and And we think the company like, OCTA can 663 00:39:05,100 --> 00:39:07,400 with the right Partners can make this reality. 664 00:39:07,500 --> 00:39:12,400 Like, having a de facto standard of implementing finalization is 665 00:39:12,400 --> 00:39:14,200 relationship based Access Control way. 666 00:39:14,800 --> 00:39:18,100 And so, and we think the way to do that is through open source, 667 00:39:18,700 --> 00:39:24,700 and, but we have customers that want to also buy managed service 668 00:39:24,700 --> 00:39:27,300 that they don't need to maintain the need to operate that. 669 00:39:27,300 --> 00:39:31,500 They make sure the security is taken care of by that the 670 00:39:31,500 --> 00:39:34,100 compliance is ticking. Heroes are those kind of things 671 00:39:34,400 --> 00:39:37,900 and for that, we are still going to have a cloud version of a 672 00:39:37,908 --> 00:39:40,300 product that you can use without costing it yourself. 673 00:39:41,500 --> 00:39:44,300 Now, let's create a mini, no pictures, had a big impact on 674 00:39:44,300 --> 00:39:48,300 our industry over time and you know, it's good to see that that 675 00:39:48,300 --> 00:39:51,200 spirit is still kind of alive and well. 676 00:39:51,500 --> 00:39:54,400 Yes, and let's see row and Uncle, both have been 677 00:39:54,400 --> 00:39:56,000 contributing to open source for a while. 678 00:39:56,300 --> 00:39:58,500 But we it's his first time in that. 679 00:39:58,500 --> 00:40:01,800 We kind of launch product that is complete core of the product 680 00:40:01,800 --> 00:40:04,100 is open source. Right, we have a lot of holes, 681 00:40:04,100 --> 00:40:06,800 open source, libraries and things that you can use with 682 00:40:06,800 --> 00:40:11,300 alter or at 0 but never kind of met product that was built that 683 00:40:11,300 --> 00:40:13,700 way. So it's pretty exciting to met 684 00:40:13,700 --> 00:40:24,300 expected. so, if I were to look into the knowledge graph of 685 00:40:25,400 --> 00:40:28,700 Andreas. What would I find as the go-to 686 00:40:28,700 --> 00:40:31,400 karaoke song for you going to end things? 687 00:40:31,400 --> 00:40:34,000 On a lighter note here. So this is my way of tying it 688 00:40:34,000 --> 00:40:37,100 back together. I'm thinking of the fine grains, 689 00:40:37,100 --> 00:40:41,500 you know authorization that says hey Andre is is about to perform 690 00:40:41,500 --> 00:40:44,000 karaoke. Here is the song that he's going 691 00:40:44,000 --> 00:40:46,200 to perform. Yeah. 692 00:40:46,200 --> 00:40:49,500 So it's fun because karaoke songs tempting to be like our 693 00:40:49,500 --> 00:40:53,100 songs, everyone everybody knows and likes to seeing and are fun 694 00:40:53,600 --> 00:40:55,000 and I usually don't like to sing. 695 00:40:55,100 --> 00:41:00,700 Songs are more like a like to sing a song I like and so my 696 00:41:00,700 --> 00:41:05,900 go-to song is down the road from Bruce Springsteen and the area 697 00:41:06,500 --> 00:41:09,500 when I see it in your way nobody knows it and you know a lot of 698 00:41:09,500 --> 00:41:14,400 people so it's not as fun and the when I sing it in New Jersey 699 00:41:14,400 --> 00:41:17,500 that is more time. But by Kim. 700 00:41:17,500 --> 00:41:19,700 What's your your go-to for karaoke? 701 00:41:20,700 --> 00:41:24,300 I mean I have to admit like the hardest part about doing a 702 00:41:24,300 --> 00:41:27,500 podcast. It is listening to the podcast 703 00:41:27,500 --> 00:41:29,500 once in a while and hearing my own voice. 704 00:41:29,800 --> 00:41:33,900 So it doesn't get any better when I do karaoke and someone 705 00:41:33,900 --> 00:41:37,600 thinks a video of it and I'm like, oh my god did I really get 706 00:41:37,600 --> 00:41:42,100 up and sound like that? But, you know, a few shots of 707 00:41:42,100 --> 00:41:45,800 whiskey, or whatever. It takes to get up there on that 708 00:41:45,800 --> 00:41:48,900 stage. So if I'm with Denise, my 709 00:41:48,900 --> 00:41:53,200 girlfriend seems too nice if I'm with her, we like to do Kid, 710 00:41:53,200 --> 00:41:58,700 Rock duet with Sheryl Crow, picture. 711 00:41:59,400 --> 00:42:03,000 And so, that's our go-to for when were together. 712 00:42:03,000 --> 00:42:05,400 Now, if I do a solo, it's going to be terrible. 713 00:42:05,400 --> 00:42:10,300 No matter what, but I like anything by ZZ Top. 714 00:42:11,600 --> 00:42:17,000 And I also like poison, so any anything within their catalog? 715 00:42:18,100 --> 00:42:20,800 But it's just a lot of just sounds like a lot of screaming. 716 00:42:20,800 --> 00:42:24,200 Jeff, it's not good. So what I'm there with Denise, I 717 00:42:24,200 --> 00:42:27,900 tried pick a Song, where the male part is very short and the 718 00:42:27,900 --> 00:42:30,300 female part is the dominant part. 719 00:42:30,300 --> 00:42:34,400 And so that's kind of what we've settled on what about you have? 720 00:42:34,400 --> 00:42:37,000 Probably, I mean, that's probably the way to go because 721 00:42:37,000 --> 00:42:38,200 she's like a professional singer. 722 00:42:38,200 --> 00:42:43,700 So, yeah, oh yeah, yeah. No, I mean, nobody, who's there 723 00:42:43,700 --> 00:42:47,200 at the bar or whatever they were doing in the karaoke yet wants 724 00:42:47,200 --> 00:42:49,100 to hear me, they bub when she sings. 725 00:42:49,100 --> 00:42:52,500 It's like oh, you know people start coming up to her and 726 00:42:52,500 --> 00:42:54,200 asking her to do duets with them. 727 00:42:54,200 --> 00:42:55,800 I'm like, okay. I'm here. 728 00:42:55,900 --> 00:43:01,000 I'm here. I'm with you on the voice thing. 729 00:43:01,100 --> 00:43:03,000 II. Do not have a voice for singing. 730 00:43:03,000 --> 00:43:04,700 You could argue. I don't have a voice for talking 731 00:43:04,700 --> 00:43:06,300 either but I still have some how to do it. 732 00:43:07,500 --> 00:43:10,800 I think for me it's probably, you know, I like to go back to 733 00:43:11,300 --> 00:43:15,200 my guys at Queen and Duke Bohemian Rhapsody Grant you 734 00:43:15,200 --> 00:43:19,200 know. It is something that I generally 735 00:43:19,200 --> 00:43:22,300 only perform after severe and you variation. 736 00:43:22,600 --> 00:43:26,300 That's just saying which is a very rare Occurrence for me and 737 00:43:26,300 --> 00:43:30,600 I will absolutely sing every part of that song, including all 738 00:43:30,600 --> 00:43:32,500 the highs and the lows and everything. 739 00:43:32,700 --> 00:43:35,400 Now I said saying I didn't say sing well, so I just kind of 740 00:43:35,400 --> 00:43:39,800 make that stipulation out there that it is unlikely that anyone 741 00:43:39,800 --> 00:43:42,300 will ever witness this and it is probably for their own benefit 742 00:43:42,300 --> 00:43:44,200 that they do not. But that that's my go-to would 743 00:43:44,200 --> 00:43:48,300 be Bohemian Rhapsody by Queen. Well at least you picked a short 744 00:43:48,300 --> 00:43:50,900 song. Yeah exactly. 745 00:43:50,900 --> 00:43:52,700 For long. The pain for everybody. 746 00:43:52,700 --> 00:43:54,800 Yeah. That's what I actually like the 747 00:43:55,200 --> 00:43:58,100 It's like putting you into the system like yeah, we don't have 748 00:43:58,100 --> 00:44:01,200 that song that's like Stairway to Heaven, right? 749 00:44:01,200 --> 00:44:04,700 You don't go into the guitar store and start playing that. 750 00:44:05,000 --> 00:44:06,800 That's right. A bird or something like that 751 00:44:07,500 --> 00:44:08,900 Andres. You've been very generous with 752 00:44:08,900 --> 00:44:10,800 your time and I want to make sure you can get on with your 753 00:44:10,800 --> 00:44:14,800 with your day here. Before we wrap things up, you've 754 00:44:14,800 --> 00:44:19,000 educated it myself. And hopefully others all about f 755 00:44:19,000 --> 00:44:21,900 g, a and sort of where it fits within the, the identity and 756 00:44:21,900 --> 00:44:24,900 access management ecosphere. Are there any final? 757 00:44:25,000 --> 00:44:27,400 Thoughts or takeaways that you'd like to get out there for the 758 00:44:27,400 --> 00:44:29,700 folks who are listening that want to either get more 759 00:44:29,700 --> 00:44:31,800 information about or things that they should be thinking about 760 00:44:31,800 --> 00:44:36,500 when it comes to fga? Yeah, so I would recommend them 761 00:44:36,500 --> 00:44:42,600 to Google about Google about Google sansevieria and because 762 00:44:42,600 --> 00:44:46,400 it's kind of it seems to be becoming like a popular way to 763 00:44:46,400 --> 00:44:50,200 implement authorization in general and it has like a diss 764 00:44:50,200 --> 00:44:54,900 to great things which is a way to do find reforestation. 765 00:44:55,100 --> 00:44:58,100 And also way to have a centralized way to manage 766 00:44:58,100 --> 00:45:01,600 organization in the company, right? 767 00:45:01,600 --> 00:45:07,200 And both things are very valuable in the so I hope and I 768 00:45:07,207 --> 00:45:10,500 think that the next few years, this will become a thing. 769 00:45:10,600 --> 00:45:14,700 And other people are going to be like, trying to implement the 770 00:45:14,700 --> 00:45:18,700 requirement in this model. So it might be a good thing to 771 00:45:18,700 --> 00:45:21,000 start learning about it. Right. 772 00:45:21,000 --> 00:45:26,300 And and I'll have a link in our show notes to open fda.gov which 773 00:45:26,600 --> 00:45:28,700 looks like a pretty good website for folks who are interested in 774 00:45:28,700 --> 00:45:31,700 want to get more involved with sort of what it is. 775 00:45:31,700 --> 00:45:33,800 Learn more about. It is in addition to Googling, 776 00:45:34,100 --> 00:45:36,700 it is weird to say Google. Google's and Zanzibar, it sounds 777 00:45:36,700 --> 00:45:39,600 like a double negative. But here we are Jim. 778 00:45:39,600 --> 00:45:41,800 How about yourself? Any final thoughts from 779 00:45:41,800 --> 00:45:46,900 fine-grained authorizations or, you know, singing Melodies with 780 00:45:47,100 --> 00:45:49,300 your girlfriend. Nothing else, home singing? 781 00:45:50,000 --> 00:45:50,500 Yeah. Great. 782 00:45:50,700 --> 00:45:54,600 Topic today, very informative hopefully somewhat entertaining 783 00:45:54,600 --> 00:45:57,600 for folks. Just a reminder about the 784 00:45:57,700 --> 00:46:02,300 webinar coming up in a couple weeks and hopefully we can we 785 00:46:02,300 --> 00:46:05,600 can tweak those numbers and get a few more people to attend. 786 00:46:05,600 --> 00:46:11,200 It's on the 22nd at 1 p.m. and will have a note to a note in 787 00:46:11,200 --> 00:46:16,100 the show notes link to the to the podcast or I'm sorry the web 788 00:46:16,100 --> 00:46:19,500 fire and finally a shot out to Mike. 789 00:46:19,900 --> 00:46:22,300 Thanks a lot. Not for hooking us up with 790 00:46:22,300 --> 00:46:26,100 Andreas because if it's a great guest today, thank you. 791 00:46:26,100 --> 00:46:31,400 Andre has anybody who wants to link up with me on LinkedIn? 792 00:46:32,200 --> 00:46:35,300 I'm very open and networking and I dries. 793 00:46:35,300 --> 00:46:37,900 I would assume you are as well. Yes. 794 00:46:39,300 --> 00:46:40,700 All right. If you kind of, you kind of 795 00:46:40,700 --> 00:46:43,000 spell my name. Yuri, be able to find me a link. 796 00:46:43,000 --> 00:46:46,000 Yeah, or well, we give me the show notes. 797 00:46:46,200 --> 00:46:49,500 I will definitely have a link to your LinkedIn profile in our 798 00:46:49,500 --> 00:46:51,400 show notes. People can check, I doubt 799 00:46:51,500 --> 00:46:53,400 there's always links for Jim and I hate, you know, we're always 800 00:46:53,400 --> 00:46:54,800 happy to connect with folks that are out there. 801 00:46:55,300 --> 00:46:56,500 I'll have links to whole bunch of stuff. 802 00:46:56,500 --> 00:46:59,400 Basically will have Andres our LinkedIn. 803 00:47:00,200 --> 00:47:04,000 I'll have a link to open fda.gov will have a link to the webinar 804 00:47:04,000 --> 00:47:07,000 that Jim is doing. It's called MFA tried to fix 805 00:47:07,000 --> 00:47:10,700 passwords but how do we fix em, f a great sexy title. 806 00:47:11,000 --> 00:47:14,300 I'm sure Jim will deliver and things like that. 807 00:47:14,300 --> 00:47:18,000 So I think with that, we'll go ahead and leave it for this 808 00:47:18,000 --> 00:47:19,900 week. You can check us out on the web, 809 00:47:20,000 --> 00:47:22,500 I done to you. The center.com we're on Twitter 810 00:47:22,500 --> 00:47:26,200 at idea. See podcast and yeah thanks 811 00:47:26,200 --> 00:47:28,900 everyone for listening and we'll talk with everyone in the next 812 00:47:28,900 --> 00:47:34,000 one. Thanks for listening to the 813 00:47:34,000 --> 00:47:36,800 identity at the center podcast. If you like what you heard, 814 00:47:36,800 --> 00:47:40,100 don't forget to subscribe and visit us on the web and identity 815 00:47:40,100 --> 00:47:40,900 at the center.com.