The Entitlement Story

Building secure and scalable applications is rarely simple. I have spent years working on entitlement projects for leading financial firms, and through that experience, I learned a hard truth: no single product can perfectly address every scenario without customization. Many products begin as projects built to solve problems for a specific model and are later generalized into products. However, new models continue to emerge, and products often fall short when applied to real-world projects involving complex workflows, diverse data models, and strict compliance requirements.

Popular frameworks each have their strengths—and their limitations:

- XACML provides a standardized, policy-driven model capable of expressing highly complex rules. Its flexibility is unmatched, and I especially value the obligation concept. However, its APIs can sometimes be difficult to align with real-world requirements.
- FGA (Fine-Grained Authorization) simplifies object-level permissions, but migrating existing relational data into its storage model can be painful. The absence of an obligation concept adds another challenge.
- OPA (Open Policy Agent) enables code-driven policies, offering developers flexibility. Yet it is well known that managing policy logic at scale can be difficult, and dynamically loading runtime data from external sources can be tricky.

One of the toughest challenges I observed was data filtering at scale. In large datasets containing millions or even billions of records, users need to see only what they are authorized to access—often with pagination. Evaluating each item individually against a policy is inefficient, slow, and unsustainable. Traditional query-based approaches simply cannot keep pace as datasets grow and rules become more complex.

This is where the concept of obligation filters became a breakthrough. Instead of checking access after retrieving data, obligation filters allow policies to inject constraints directly into the query itself. This is why I chose XACML as the foundation for Clear Entitlement.

Another key insight from working with multiple financial firms was the need for flexible data models. Every organization has unique data structures, and rigid models simply do not work. In my view, NGAC's graph-based model points in the right direction: final access decisions—whether a simple GRANT/DENY or filtered object set—are derived from relationships within the data. In this sense, it is ultimately about defining a data model and the rules to calculate outcomes.

Clear Entitlement enables customers to define their own data models, with the UI driven by JSON Schema for all models and use cases. This ensures that workflows, access rules, and even user interfaces can be customized without modifying the core product—making it highly adaptable to any organization. Clear Entitlement also provides an intuitive and easy-to-use grammar for expressing how data is calculated.

Built on the proven XACML model, Clear Entitlement combines robust policy enforcement with developer-friendly APIs and customizable data models, making even the most complex access control scenarios approachable. With Clear Entitlement, organizations can:

- Enforce fine-grained access control without compromising performance
- Efficiently handle large datasets and paginated queries
- Define custom data models and use cases tailored to their unique workflows
- Integrate seamlessly with modern architectures, including AI agents and systems using the Model Context Protocol (MCP)
- Automatically generate UI elements based on JSON Schema, ensuring consistency and adaptability

Clear Entitlement bridges the gap between standardized policy models and practical, real-world needs. It empowers developers and security teams to enforce precise, maintainable, and scalable access control while avoiding the pitfalls of excessive customization or complex integration. Ultimately, The Entitlement Story is about solving a problem I encountered firsthand: making authorization reliable, scalable, and practical. Whether you are managing sensitive enterprise data, coordinating AI-driven systems, or implementing applications using Model Context Protocols, Clear Entitlement provides a foundation that is flexible, reliable, and ready for real-world challenges. It is more than a product—it is a solution that adapts to your needs, allowing you to focus on building applications while ensuring access control is handled correctly, efficiently, and securely.