Distributed authorization in complex multi entity-driven API ecosystems

In certain business sectors adapting to modern and cost reducing technologies and service models can be still a challenge. This especially applies for health care related SME, such as hospitals, where cost reduction runs counter the need of being compliant to legal regulations and where the access control has to struggle against a diverse landscape of health care equipment accompanied by dynamic and complex role models. Outsourcing data storage and data processing seems not to reduce the complexity, rather bears the risks of reduced data availability, loss or abuse of data and can increase legal compliance risks and concerns. Since this applies for many SMEs, a common platform, such as an ecosystem, can help to lower the entrance barrier by regaining helpful management functionalities, standardized basic services and therefore push the adoption to modern cost reducing service consumption scenarios. In this paper a generic design pattern for realizing distributed authorization in an API ecosystem is presented. The pattern is applied within a research project, which aims to develop an ecosystem for trading and consuming services within demanding business sectors and reduce lock-in effects for both, service providers and consumers. The concept of Distributed Authorization is applied in a new complex multi entity use-case, where access policies for RESTful APIs can be designed flexible under consideration of service providers´ and consumers´ requirements which are enforced by a central trusted 3rd party provider.