Versions Compared

Old Version 27

changes.mady.by.user Thomas Dopirak

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Privileges, a generic model

Warning
titleThis is an older version of the Recipe.

Please see the new version.

A Group is a collection of subjects.  An example of using a group without using authorization is an email list.  A Role is a collection of privileges that is shared by all subjects assigned to the role, which generally describes the subjects' affiliation, job function, or responsibility.  A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment.  The Action is the verb of the privilege assignment which allows a resource to be assigned to a subject in various ways without creating more resources .  For example SubjectA can view (action) the Math department data (resource).  A Privilege Assignment associates the subject with the actions and resources that they are allowed to perform.  A Limit is a condition on the privilege assignment which must be true at run-time for the privilege assignment to be allow.  Examples of limits are time of day, source IP address, amounts of approvals, etc.

...

When using externalized privileges, there are caching considerations.  Caching can improve the performance of the application and reduce the dependencies of middleware components.  If there are not real-time updates from the authorization system, then the privileges can become stale.  When there are a lot of privilege resources and assignments which need to be checked, it is a good idea to cache the application's privileges for the entire user population, or for one user when the authenticate.  If there are reports or queries which need to join available data with the allowed record types, the authorization information might need to be cached directly in the application's database.  If there are limits on the authorizations, then it is more complicated then just a list of allowed action/resource pairs.

*** a brief interlude from Tom Dopirak

subject  has privilege
(set of subjects) has privilege  or group has privilege  -- based on definition of group
subject has (set of privileges)   or subject has role  -- based on definition of role
(set of subjects) has (set of privileges) or  group has role - based on definitions

role has privilege translates to  (set of privileges) has privilege which doesn't really work

group  is a convenience for a set of subjects
role is a convenience for a set of privileges

 

The ldap or grouper groups are implementation are an implementation of the set of subjects  , a means of subject management ( or identity management)
A role is a set of privileges, an implementation might be via position  in an organization,  the existence of an attribute associated with the subject etc

******end of interlude

    • Follow the attributes
    • Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
      • Use cases using "presence detection" , is this person physically in a building  or a room
      • Use cases with quota evaluation, metering or rate limiting a for fee service?
    • case studies
  • attribute delivery recipe:
    • SAML between IdP & SP
    • SPML, XMPP ( grouper) for push provisioning
      • XMPP is a messaging protocol that many institutions already run with known security and addressing standards
        • JMS or activeMQ ? AMQP as a wire protocol.
    • LDAP , privilege registry or webservice   for pull provisioning
      • is there existing mace-dir work to build on?
  • generalizing to federated scenarios and VOs
    • What is the namespace  ( URIs vs  URNs) and object characteristics for privileges
      • what are the special problems in namespace choice?
        • The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
        • Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
        • Some architectures use privilege names scoped to the  resources they reference.
        • examples
        • The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
        •  
      • Fifer using URIs  e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
        • privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
  • authorization and access control
    **case studies in production
  • rule-based access control

Access control policy management

Using Paccman terminology, a generic access policy statement P reads

Code Block

P <==> Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L

Note:

  • Subjects can be persons or groups
  • Roles, Actions and Resources can inherit <<privileges, (policy statements)?>> from other Roles, Actions and Resources
  • Limits can be expressed as a sequence of atomic predicates "X Verb Y" joined by logical operators, AND, OR, NOT, XOR. 
  • X Verb Y is an atomic predicate that is either True or False based on
    • The attributes of X 
    • Or some environmental/contextual variable, 
    • and proposition Y 
  • The whole Limit expression evaluates to True or False
  • A Limit expression that is True results in an Allow decision for the containing policy statement
  • A Limit expression that is False results in a Deny decision for the containing policy statement.

Abstract Definitions of Policy Elements:

  • At the most abstract level, Access Policy Management, APM, is the creation, modification or deletion of Policy Statements PS from the set of all policy statements being managed.  
  • A Policy Decision, PD, consists of evaluating the applicable Policy Statement(s) at the time that subject Su attempts to perform Action A on Resource Rs with the Decision being either Allow or Deny
  • Policy Enforcement, PE, either allows Su to perform the requested action A on Resource Rs or not based on whether the Policy Decision is Allow or Deny.

Test of above definitions:

  • Translate the policies implicit in the Paccman Primary Use Case Library (PPUCL) into the terminology of the proposed model
  • Assess whether there are elements of those policies that are not expressible in terms of the proposed model
  • Assess whether there are elements of the proposed model that do not figure in any of the policies implicit in the PPUCL

----------

    • P*P architectures: proposed models,
      • Application policy, enterprise policy, VO policy
    • case studies - bamboo

...