Apache Fortress

Commercially-supported access management offering, production-ready and open source.
DownloadView Standards

Fortress offers role-based access control (RBAC) that’s production-ready, open source and fully supported, so you can regulate the access privileges of each person within your enterprise based on their role within your organization.


Find javadocs on RBAC for Fortress here, plus info on its capabilities.

  • RBAC Management APIs (Fortress Core)
  • RBAC Management Services (Fortress Rest)
  • RBAC Management Pages (Fortress Web)
  • RBAC Policy Enforcement for Apache Tomcat (Fortress Realm)
  • Centralized audit log (OpenLDAP)
  • Multi-tenant data and object model
  • Directory storage and replication (OpenLDAP)
Multi-tenant Architecture

Symas Enforcement Foundry uses multi-tenant architecture.
Learn More

Product Roadmap

What the future looks like for Symas Enforcement Foundry.

Web Access Management

  • OpenID Connect
  • OAuth 2.0
  • SAML 2.0
Product Source

The source of Symas Enforcement Foundry is managed by the Apache GIT repo.

Source and Binary bundles are available from:
The Apache Directory Project

The Apache Fortress Suite Includes

Fortress Core | RBAC software development kit.

Fortress Core: RBAC Management APIs

The standards-based access management Software Development Kit (SDK) is the core of the other Apache Fortress components: Rest, Realm and Web.

Fortress is open source and easy to use.  It supports multi-tenancy allowing multiple organizations to harness a single LDAP instance, while ensuring that the data remains private and isolated.

Find out about the standards that Fortress adheres to. See Standards

Learn how Fortress Core approaches security. See Security Services

Fortress Web | Gui for managing RBAC policies and identities

Fortress Web Policy Administration

Fortress Web is a graphical user interface (GUI) that manages the User and RBAC data that resides in LDAP.


Fortress Rest | For managing RBAC through a RESTful interface

Fortress Rest: Integrate Security RESTfully

Fortress Rest functions as both a Policy Decision Point (PDP) and Policy Administration Point (PAP).

It wraps the Fortress APIs using a service-based (REST/JSON) protocol, enabling multi-platform support. A one-to-one correspondence exists between a Fortress API and a Fortress Rest service. For a list of services, visit the Javadoc.

The Fortress Rest security model uses its own APIs for enforcement ensuring tight security and audit trail. Additionally, Fortress Rest uses Java EE security for another layer of protection.


Fortress Realm | Access enforcement modules for existing services

Realm: Guard your Apache Tomcat Web Apps

The Fortress Realm allows Java EE policies to map to Fortress policies that reside inside the LDAP server.

It consists of role-based access control (RBAC) policy enforcement plug-in for security authentication, authorization and auditing.

With the Realm, you add an extra layer of security to your Apache Tomcat apps.

Apache Fortress Standards

ANSI Role-Based Access Control (INCITS 359)

There’s more to compliance than assigning users to groups and applying ACL policies within directories or databases. RBAC systems provide selective role activation and deactivation, role hierarchies, and constraints over separation of duty. The RBAC component provides APIs to add, update, delete and search the directory data. Fortress gives you everything you need to exploit the full power of this ANSI specification.

More info here.

Java EE Platform Security

This is used for SSL, X.509 mutual authentication, form-based container authentication, coarse-grained authorization, SSO and more. It works within compliant Java web apps, such as Fortress Rest and Fortress Web.

Java EE security is good because its declarative controls keep the development and integration costs low. At the same time, it provides adequate network system security, and the business apps run fast because caching is maintained within the app server container. This means fewer round-trips between the application and policy servers.

More info here.

Administrative Role-Based Access Control (ARBAC02)

The ARBAC model explains how RBAC can be extended with organizational controls to govern policies pertaining to the security administration process. ARBAC helps by allowing administrative tasks to be delegated to end users who fall outside typical datacenter operations. Delegation lowers overhead, while at same time maintaining a firm grip on compliance – resulting in cost savings.

More info here.

IETF Password Policies

OpenLDAP has supported this draft since 2005.

Fortress adds by integrating with its administrative and access control APIs. These APIs enable outside apps to participate and manipulate OpenLDAP password policies, without understanding the specifics of how they work. Fortress provides services for setting up new policies and ensuring that password policies are tracked and enforced across all avenues.

More info here.


For audits, Fortress uses the OpenLDAP slapd.access log overlay to track the data exchanges performed within its own APIs. This extended capability stores the history of slapd events needed for replication. The events are persisted in the OpenLDAP backend database: the Lightning Memory-Mapped DB.

Change event tracking includes adds, updates and deletes of Fortress entities. It also tracks Read and Search events: user authentication, authorization and policy interrogations. Fortress maintains full historical data change tracking, which may be searched later with APIs for monitoring, reporting and undo. The log may also be retrieved later to sync with an external database for long-term regulatory and compliance concerns.

Temporal Constraints

The Fortress Temporal model allows users and roles to carry time and date constraints that govern when activations may occur. Role constraints are checked on every call into Fortress. The user constraint is applied only at session creation.

ANSI RBAC Policy-Enhanced (INCITS-494-2012)

Soon. But not yet.

Apache Fortress Core Security Services

Over one hundred services are divided across the Manager components.

Some of them (Access, Admin and Review) map back to ANSI RBAC functional specifications.  Others (DelAccess, DelAdmin, DelReview) are for the ARBAC02 model which help manage administrative burden for large enterprises.

Each manager component defined below has a specific purpose and contains a collection of related functions to control the Fortress Entities as they pass through its particular area of the identity lifecycle. Of late, the APIs have been wrapped with REST Services by Fortress Rest. This makes it possible to access Fortress functionality over HTTP protocol using an XML message format.

A description of the managers follow…

  • AccessMgr This object performs runtime access control operations on objects that are provisioned RBAC entities which reside in the LDAP directory to maintain policy enforcement
  • AdminMgr This object performs administrative functions to provision Fortress RBAC entities into the LDAP directory; it can be used to build custom applications and UIs
  • AuditMgr This interface prescribes methods to search the OpenLDAP slapd access log, which contains an audit trail of entity operational states to maintain and verify compliance
  • DelAcessMgr This interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC02 entities which reside in the LDAP directory to maintain policy enforcement
  • DelAdminMgr This class prescribes the ARBAC02 DelegatedAdminMgr interface for performing the policy administration of Fortress ARBAC entities which reside in the LDAP directory; it can be used to build custom security applications and UIs
  • DelReviewMgr This class prescribes the ARBAC02 DelegatedReviewMgr interface for performing policy interrogation of provisioned Fortress ARBAC02 entities that reside in LDAP directory to maintain and verify compliance
  • PswdPolicyMgr This object adheres to IETF PW policy draft and is used to perform administrative and review functions on the PWPOLICIES and USERS data sets within Fortress
  • ReviewMgr This interface prescribes the administrative review functions on already-provisioned Fortress RBAC entities that reside in LDAP directory to maintain and verify compliance