1. Authorization/Access ControlBest PracticesAnil Saldhanaanil@apache.org

2. Authentication is FINITE whereasAuthorization is INFINITE.- Anil Saldhana 3. Best Practice 1 Know that you will need accesscontrol/authorization 4. Best Practice 2 Externalize the access control policyprocessing 5. Best Practice 3 Understand the difference between CoarseGrained and Fine Grained Authorization 6. Best Practice 4 Design for coarse grained authorization butkeep the design flexible for fine grainedauthorization 7. Best Practice 5 Know the difference between Access ControlLists (ACL) and Access Control Standards ACL are proprietary Standards include OASIS XACML and IETF OAuth2 8. Best Practice 6 Adopt Rule Based Access Control: view accesscontrol as Rules and Attributes 9. Best Practice 7 Adopt REST Style architecture when yoursituation demands scale and hence adoptREST Authorization Standards 10. Best Practice 8 Understand the difference betweenEnforcement vs Entitlements model 11. Greater Depth Visit http://anil-identity.blogspot.com/2013/05/access-control-best-practices.html