Pattern 7: All National
This pattern uses national components to manage all authentication and authorisation of users. Local systems can then use the tokens given out by the national services to make access control decisions without having to implement any local authentication or authorisation services.
- Greatly simplifies access controls in a local system – they no longer have to do any user management or authorisation checks, and can instead rely on the national services carrying out basic checks on their behalf.
- Provides a national “single-sign-on” capability allowing the same authentication session (ID token) to be used in all systems that support it, without requiring the user to log in multiple times.
- Reduced costs for local/regional solutions.
- Takes all authorisation away from local systems (although they can of course inspect tokens and perform additional checks to block if necessary – this would be potentially confusing to a client that had been informed access has been authorised).
- Would only do authorisation against nationally agreed policies using information held about the user nationally – e.g. would not do checks that rely on user attributes only held in the local systems, such as legitimate relationship checks
Was this article useful?2