Skip to main content

Concepts

As shown in the Aserto Architecture diagram, Aserto's platform consists of a number of runtime components which are either hosted by Aserto or can be run in your own environment:

Overview of Concepts

Authorization:

  • Authorizer: the component that makes authorization decisions on whether or not a user is allowed to perform an operation on a resource. Aserto uses Topaz as its authorizer.
  • Policy: defines the rules for making authorization decisions.
  • Directory: stores a graph of subjects (such as users and groups), objects (including any properties used for authorization purposes), and the relationships between them, all of which can be used by the policy.
  • Decision Logs: records of decisions performed by Authorizers.

Management:

  • Tenant: the unit of isolation and management of Policy Instances, Policy Images, Directory data, Decision Logs, Connections, and Edge Authorizers.
  • Control Plane: manages Edge Authorizers: keeps policy and data up-to-date, aggregates Decision Logs, and sends remote commands to Edge Authorizers.
  • Connections: connections to external systems such as Identity Providers (which are often the source of Directory data) and Source Code Control Systems (which are where policies are stored and versioned).
  • Organization: a type of tenant that is shared across multiple collaborators, and enforces an RBAC model.