...
When using externalized privileges, there are caching considerations. Caching can improve the performance of the application and reduce the dependencies of middleware components. If there are not real-time updates from the authorization system, then the privileges can become stale. When there are a lot of privilege resources and assignments which need to be checked, it is a good idea to cache the application's privileges for the entire user population, or for one user when the authenticate. If there are reports or queries which need to join available data with the allowed record types, the authorization information might need to be cached directly in the application's database. If there are limits on the authorizations, then it is more complicated then just a list of allowed action/resource pairs.
*** a brief interlude from Tom Dopirak
subject has privilege
(set of subjects) has privilege or group has privilege -- based on definition of group
subject has (set of privileges) or subject has role -- based on definition of role
(set of subjects) has (set of privileges) or group has role - based on definitions
role has privilege translates to (set of privileges) has privilege which doesn't really work
group is a convenience for a set of subjects
role is a convenience for a set of privileges
The ldap or grouper groups are implementation are an implementation of the set of subjects , a means of subject management ( or identity management)
A role is a set of privileges, an implementation might be via position in an organization, the existence of an attribute associated with the subject etc
******end of interlude
- Follow the attributes
- Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
- Use cases using "presence detection" , is this person physically in a building or a room
- Use cases with quota evaluation, metering or rate limiting a for fee service?
- case studies
- attribute delivery recipe:
- SAML between IdP & SP
- SPML, XMPP ( grouper) for push provisioning
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- JMS or activeMQ ? AMQP as a wire protocol.
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- LDAP , privilege registry or webservice for pull provisioning
- is there existing mace-dir work to build on?
- generalizing to federated scenarios and VOs
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- what are the special problems in namespace choice?
- The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
- Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
- Some architectures use privilege names scoped to the resources they reference.
- examples
- urn:mace:edu:cmu:andrew:s3:field:ssn=read
- urn:mace:edu:cmu:andrew:s3:canreadssns
- http://www.cmu.edu/andrew/s3/fields/ssn/read
- The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
- Fifer using URIs e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
- privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
- what are the special problems in namespace choice?
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- authorization and access control
**case studies in production - rule-based access control
- Authorization Techniques and Strategies
**XACML , DROOLS, others
- Authorization Techniques and Strategies
- policy, a generic model
- P*P architectures: proposed models,
- Application policy, enterprise policy, VO policy
- case studies - bamboo
- P*P architectures: proposed models,
...