Frontegg launches entitlements engine to streamline access authorization

SaaS-based customer identity and access management (CIAM) provider Frontegg has launched an entitlements engine, an authorization management capability aimed at helping app developers and revenue teams streamline access authorization.

The new engine will be powered by context-aware logic controls (CALC) technology to effect context-based, fine-grained authorization controls, Frontegg said. It will be added to Frontegg’s namesake CIAM platform, which features a suite of identity management capabilities that includes authentication, onboarding flow design, user management, self-serve account management, etc.

“The old way of building SaaS apps required the use of many different solutions to solve in-app entitlements — role-based access control (RBAC), attribute-based access control (ABAC), feature flag management, subscription management, free trial provisioning anomaly detection, and others, requiring a lot of APIs and working with many different vendors,” Sagi Rodin, chief executive officer at Frontegg, said in a press release. “With our CALC-powered Entitlements Engine, we provide all of this functionality and more in a single API.”

Frontegg showcased the new capability at the Identiverse conference in Las Vegas this week and has made it immediately available to users.

Frontegg’s CALC streamlines authorization

The new entitlements engine allows developers to shift entitlement workstreams left, letting anyone make changes formerly requiring additional code or additional vendor integrations, according to the company.

The idea is to expand on existing CIAM systems’ focus on authentication for protection against phishing, account takeovers, and other identity-related attacks, to allow for authorization management, defining the type and number of resources to be accessed.

“In today’s SaaS environments, the next step after authentication is authorization — once the customer logs in, they need to be authorized to use a subset of features and access a subset of available data,” said Jack Poller, an analyst at ESG Global. “Each SaaS environment has unique authorization requirements — a cloud file store (Microsoft OneDrive, Box, Dropbox, etc.) have simple entitlements such as read, modify, or share, whereas other environments can have complex and multiple entitlements.”

These complex entitlements need to support user access controls, role-based access controls, and attribute-based access controls, Poller added.

Frontegg’s CALC enables SaaS app developers to incorporate a user database for both authentication and authorization.

“With our CALC-powered entitlements engine, we provide all of this functionality and more in a single API,” Rodin said in the press release.  “We can do this because we have the contextual awareness to make the right decision based on business logic — which users can access which feature, field, or API — automatically.”

Centralized dashboard for multiple solutions

The engine provides a visual dashboard to allow non-technical users to design product bundles for entitlement without the need for additional codes, complex configurations, or products from vendors, according to the company. 

“Every entitlement in a SaaS solution requires developers to write corresponding code to check authorization and control access,” Poller said. “Using Frontegg’s CALC solution means developers can streamline the development process, consolidating the user database, authentication, and authorization, and skip straight from defining entitlements and control points to enforcement without writing code to check authorization.”

Frontegg’s entitlement engine allows engineering, product, and business teams to create endless customizations for customers, making entitlement changes “as simple as toggling a button,” according to the company.

These include capabilities like customized free trials, feature flag control for individual user permissions, time-based assignment of entitlements, entitlement assignment DIYs for SaaS resellers and channels, and ABAC for full customization.

The engine also enables blocking or requiring additional measures such as multifactor authentication for users by tapping into real-time identity attributes such as geolocation, impossible travel, device type, network signature, and client vision.