Versions Compared

Old Version 31

changes.mady.by.user Keith Hazelton (wisc.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Privileges, a generic model

Notewarning
titlePermalink for this pageThis is an older version of the Recipe.

Please see the new version.https://spaces.at.internet2.edu/pages/editpage.action?pageId=24578236

A Group is a collection of subjects.  An example of using a group without using authorization is an email list.  A Role is a collection of privileges that is shared by all subjects assigned to the role, which generally describes the subjects' affiliation, job function, or responsibility.  A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment.  The Action is the verb of the privilege assignment which allows a resource to be assigned to a subject in various ways without creating more resources .  For example SubjectA can view (action) the Math department data (resource).  A Privilege Assignment associates the subject with the actions and resources that they are allowed to perform.  A Limit is a condition on the privilege assignment which must be true at run-time for the privilege assignment to be allow.  Examples of limits are time of day, source IP address, amounts of approvals, etc.

...

    • Follow the attributes
    • Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
      • Use cases using "presence detection" , is this person physically in a building  or a room
      • Use cases with quota evaluation, metering or rate limiting a for fee service?
    • case studies
  • attribute delivery recipe:
    • SAML between IdP & SP
    • SPML, XMPP ( grouper) for push provisioning
      • XMPP is a messaging protocol that many institutions already run with known security and addressing standards
        • JMS or activeMQ ? AMQP as a wire protocol.
    • LDAP , privilege registry or webservice   for pull provisioning
      • is there existing mace-dir work to build on?
  • generalizing to federated scenarios and VOs
    • What is the namespace  ( URIs vs  URNs) and object characteristics for privileges
      • what are the special problems in namespace choice?
        • The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
        • Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
        • Some architectures use privilege names scoped to the  resources they reference.
        • examples
        • The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
        •  
      • Fifer using URIs  e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
        • privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
  • authorization and access control
    **case studies in production
  • rule-based access control

Access control policy management

Using Paccman terminology, a generic access policy statement P reads

Code Block

P <==> Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L

Note:

  • Subjects can be persons or groups
  • Roles, Actions and Resources can inherit <<privileges, (policy statements)?>> from other Roles, Actions and Resources
  • Limits can be expressed as a sequence of atomic predicates "X Verb Y" joined by logical operators, AND, OR, NOT, XOR. 
  • X Verb Y is an atomic predicate that is either True or False based on
    • The attributes of X 
    • Or some environmental/contextual variable, 
    • and proposition Y 
  • The whole Limit expression evaluates to True or False
  • A Limit expression that is True results in an Allow decision for the containing policy statement
  • A Limit expression that is False results in a Deny decision for the containing policy statement.

Abstract Definitions of Policy Elements:

  • At the most abstract level, Access Policy Management, APM, is the creation, modification or deletion of Policy Statements PS from the set of all policy statements being managed.  
  • A Policy Decision, PD, consists of evaluating the applicable Policy Statement(s) at the time that subject Su attempts to perform Action A on Resource Rs with the Decision being either Allow or Deny
  • Policy Enforcement, PE, either allows Su to perform the requested action A on Resource Rs or not based on whether the Policy Decision is Allow or Deny.

Test of above definitions:

  • Translate the policies implicit in the Paccman Primary Use Case Library (PPUCL) into the terminology of the proposed model
  • Assess whether there are elements of those policies that are not expressible in terms of the proposed model
  • Assess whether there are elements of the proposed model that do not figure in any of the policies implicit in the PPUCL

----------

    • P*P architectures: proposed models,
      • Application policy, enterprise policy, VO policy
    • case studies - bamboo

...