Versions Compared

Old Version 24

changes.mady.by.user Michael Hyzer

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Privileges, a generic model

Warning
titleThis is an older version of the Recipe.

Please see the new version.

A Group is a collection of subjects.  An example of using a group without using authorization is an email list.  A Role is a collection of privileges that is shared by all subjects assigned to the role, which generally describes the subjects' affiliation, job function, or responsibility.  A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment.  The Action is the verb of the privilege assignment which allows a resource to be assigned to a subject in various ways without creating more resources .  For example SubjectA can view (action) the Math department data (resource).  A Privilege Assignment associates the subject with the actions and resources that they are allowed to perform.  A Limit is a condition on the privilege assignment which must be true at run-time for the privilege assignment to be allow.  Examples of limits are time of day, source IP address, amounts of approvals, etc.

...

When applications protect resources by checking if the authenticated user is in a group, they are implicitly making a virtual role from the groupessentially using a group as if it were a role.  For example, if the application code checks if the authenticated user is in the institution's "student" group, in order for them to see the main screen of the application, then there is an implicit hard-coded privilege resource of "main-screen", and action "view", assigned to the role "studentUser", which is assigned to the group "student".  Though it is referred to as security by group, it is actually a role.

...

    • Follow the attributes
    • Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
      • Use cases using "presence detection" , is this person physically in a building  or a room
      • Use cases with quota evaluation, metering or rate limiting a for fee service?
    • case studies
  • attribute delivery recipe:
    • SAML between IdP & SP
    • SPML, XMPP ( grouper) for push provisioning
      • XMPP is a messaging protocol that many institutions already run with known security and addressing standards
        • JMS or activeMQ ? AMQP as a wire protocol.
    • LDAP , privilege registry or webservice   for pull provisioning
      • is there existing mace-dir work to build on?
  • generalizing to federated scenarios and VOs
    • What is the namespace  ( URIs vs  URNs) and object characteristics for privileges
      • what are the special problems in namespace choice?
        • The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
        • Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
        • Some architectures use privilege names scoped to the  resources they reference.
        • examples
        • The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
        •  
      • Fifer using URIs  e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
        • privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
  • authorization and access control
    **case studies in production
  • rule-based access control

Access control policy management

Using Paccman terminology, a generic access policy statement P reads

Code Block

P <==> Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L

Note:

  • Subjects can be persons or groups
  • Roles, Actions and Resources can inherit <<privileges, (policy statements)?>> from other Roles, Actions and Resources
  • Limits can be expressed as a sequence of atomic predicates "X Verb Y" joined by logical operators, AND, OR, NOT, XOR. 
  • X Verb Y is an atomic predicate that is either True or False based on
    • The attributes of X 
    • Or some environmental/contextual variable, 
    • and proposition Y 
  • The whole Limit expression evaluates to True or False
  • A Limit expression that is True results in an Allow decision for the containing policy statement
  • A Limit expression that is False results in a Deny decision for the containing policy statement.

Abstract Definitions of Policy Elements:

  • At the most abstract level, Access Policy Management, APM, is the creation, modification or deletion of Policy Statements PS from the set of all policy statements being managed.  
  • A Policy Decision, PD, consists of evaluating the applicable Policy Statement(s) at the time that subject Su attempts to perform Action A on Resource Rs with the Decision being either Allow or Deny
  • Policy Enforcement, PE, either allows Su to perform the requested action A on Resource Rs or not based on whether the Policy Decision is Allow or Deny.

Test of above definitions:

  • Translate the policies implicit in the Paccman Primary Use Case Library (PPUCL) into the terminology of the proposed model
  • Assess whether there are elements of those policies that are not expressible in terms of the proposed model
  • Assess whether there are elements of the proposed model that do not figure in any of the policies implicit in the PPUCL

----------

    • P*P architectures: proposed models,
      • Application policy, enterprise policy, VO policy
    • case studies - bamboo

...