The Cloudentity TrUST Engine is a combination of APIs, services and practices to allow you to define security policies and directly apply polices to tools such as the MicroPerimeter™ Sidecar or Gateway — the TrUST Engine provides a single source of truth no matter where enforcement occurs.


Under the TrUST Engine umbrella you will find following services:

  • AuthZ service - the heart of the engine responsible for storage, management and validation of the authorization policies.

  • Permission Service - Cloudentity unique view on User, services, things permissions and consent that enables to you assign and manage corse and fine grained entitlements for mentioned entities.

  • Risk service - highly performant risk engine that enables to to calculate and distribute the risk attached to users, services, things as well as transactions performed by them.


Cloudentity provides comprehensive authorization for Users, Services and Things using a combination of controls including

  • Attribute Based Access Controls (ABAC)

  • Role-Based Access Control (RBAC)

  • Advanced Risk Based Authorization Capabilities (RADAC)

Additionally, Cloudentity is able to communicate with existing authorization and fraud engines to inform the authorization model with real-time threat information such as compromised IP address, devices or other contextual, custom validation elements.

The Cloudentity trUSTengine™ allows the modeling of complex decision trees to provide flexible and adaptive authentication and authorization flows. These models can be applied on when the client first authorizes, but can also be applied at any point during the application flow. This allows for non-binary access control to protected resources, meaning high-value resources (e.g. a financial transaction) may require additional authorization than a low value transaction (e.g. accessing corporate content).

The non-binary aspect of the access control is expressed not only in adaptive decision-making capabilities informed by dynamic attributes and states, but also in non-binary decision outcomes that adapt to the situation and context. The TrUSTengineâ„¢ gives far more than a simple yes/no decision; it supplies mitigation steps in order to guide the client on how to overcome initially denied access.

TrUST Engine components

AuthZ Service

Cloudentity’s AuthZ service provides a Single Source of Truth for security policy management Users, Services and Things. The flexible API utilizes a pluggable validation architecture to support hybrid authorization models that span across roles based, attribute based, and risk based, micro-segmentation. Policies are applicable for both inbound and outbound transactions (ingress and egress) and provides context-based authorization including user, device, application, transaction, and location attributes.

Please see the AuthZ Documentation and the AuthZ Service API Specification for more details.

Permission Service

The Cloudentity Permission Service can be used to model RBAC,ABAC or fine grained entitlement assignment scenarios. This service allows the specification of permissions and grants, either on a per-tenant basis or at the system level. Cloudentity Permission Service is used as a permission definition, grant and storage model; however the permissions evaluation and enforcement might be distributed between the Cloudentity TrUST Engine and application specific logic that can be utilized to provide permission grants for fine grained authorization.

For more details, please review documents specifically about the Permission Service or review the Permission Service API Specification for more details.

Risk Service

Cloudentity Risk Service is highly performant risk engine that enables to to calculate and distribute the risk attached to users, services, things as well as transactions performed by them.

The Risk Service engine is build based on stream processing technology, it accepts multiple sources of events with data relevant from security perspective. It filters the important ones and calculates risk levels for User, Services Things or transactions. Out of the box the Cloudentity Risk Services comes with the threat modeling responsible for calculating risk based on internal Cloudentity Events like failed authentication or authorizations, unknown consumption devices or IP etc…​ however it can be extended to utilize external sources. Example of such an external system can be a Web Application Firewall providing additional information about the suspicious activity.

Please see Risk Service API Specification for more details.

Developer guide

Please see How to integrate with TrUST Engine for more details.