Privileges, a generic model
Notewarning | |||
---|---|---|---|
| |||
Please see the new version.https://spaces.at.internet2.edu/pages/editpage.action?pageId=24578236 |
A Group is a collection of subjects. An example of using a group without using authorization is an email list. A Role is a collection of privileges that is shared by all subjects assigned to the role, which generally describes the subjects' affiliation, job function, or responsibility. A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment. The Action is the verb of the privilege assignment which allows a resource to be assigned to a subject in various ways without creating more resources . For example SubjectA can view (action) the Math department data (resource). A Privilege Assignment associates the subject with the actions and resources that they are allowed to perform. A Limit is a condition on the privilege assignment which must be true at run-time for the privilege assignment to be allow. Examples of limits are time of day, source IP address, amounts of approvals, etc.
...
- Follow the attributes
- Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
- Use cases using "presence detection" , is this person physically in a building or a room
- Use cases with quota evaluation, metering or rate limiting a for fee service?
- case studies
- attribute delivery recipe:
- SAML between IdP & SP
- SPML, XMPP ( grouper) for push provisioning
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- JMS or activeMQ ? AMQP as a wire protocol.
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- LDAP , privilege registry or webservice for pull provisioning
- is there existing mace-dir work to build on?
- generalizing to federated scenarios and VOs
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- what are the special problems in namespace choice?
- The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
- Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
- Some architectures use privilege names scoped to the resources they reference.
- examples
- urn:mace:edu:cmu:andrew:s3:field:ssn=read
- urn:mace:edu:cmu:andrew:s3:canreadssns
- http://www.cmu.edu/andrew/s3/fields/ssn/read
- The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
- Fifer using URIs e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
- privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
- what are the special problems in namespace choice?
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- authorization and access control
**case studies in production - rule-based access control
- Authorization Techniques and Strategies
**XACML , DROOLS, others
- Authorization Techniques and Strategies
Access control policy management
Using Paccman terminology, a generic access policy statement P reads
Code Block |
---|
P <==> Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L
|
Note:
- Subjects can be persons or groups
- Roles, Actions and Resources can inherit <<privileges, (policy statements)?>> from other Roles, Actions and Resources
- Limits can be expressed as a sequence of atomic predicates "X Verb Y" joined by logical operators, AND, OR, NOT, XOR.
- X Verb Y is an atomic predicate that is either True or False based on
- The attributes of X
- Or some environmental/contextual variable,
- and proposition Y
- The whole Limit expression evaluates to True or False
- A Limit expression that is True results in an Allow decision for the containing policy statement
- A Limit expression that is False results in a Deny decision for the containing policy statement.
Abstract Definitions of Policy Elements:
- At the most abstract level, Access Policy Management, APM, is the creation, modification or deletion of Policy Statements PS from the set of all policy statements being managed.
- A Policy Decision, PD, consists of evaluating the applicable Policy Statement(s) at the time that subject Su attempts to perform Action A on Resource Rs with the Decision being either Allow or Deny
- Policy Enforcement, PE, either allows Su to perform the requested action A on Resource Rs or not based on whether the Policy Decision is Allow or Deny.
Test of above definitions:
- Translate the policies implicit in the Paccman Primary Use Case Library (PPUCL) into the terminology of the proposed model
- Assess whether there are elements of those policies that are not expressible in terms of the proposed model
- Assess whether there are elements of the proposed model that do not figure in any of the policies implicit in the PPUCL
----------
- P*P architectures: proposed models,
- Application policy, enterprise policy, VO policy
- case studies - bamboo
- P*P architectures: proposed models,
...