This is based on the Grouper API for central permission management, though genericized. Note that this suggestion is not a suggestion on what the API should be, it is what data needs to go in and out. If we use SAML or XACML or whatever that is fine.
Objects
Subject
Data for something that can be assigned privileges, returned from the privilege server
<subject>
<id>12345</id>
<source>pennperson</source>
<name>John Smith</name>
<description>John Smith (12345, jsmith) Staff, Director of Human Resources</description>
<attributes>
<attribute>
<name>pennkey</name>
<values>
<value>jsmith</value>
</values>
</attribute>
</attributes>
</subject>
- id is a unique id for the source which does not change
- source is one of a few sources of subjects (e.g. in institution, and external)
- name is a name to display
- description is configurable for the site or source, it could be blank, the same as name, or something descriptive
- attributes are multivalued and could be anything
Subject lookup
Used to lookup a subject in the system
<subjectLookup> <id>12345</id> <source>pennperson</source> <identifier>jsmith</identifier> </subjectLookup>
- pass in either an id or identifier. Identifier is configured to lookup the subject, e.g. by netId
- source is optional though if provided makes the query more efficient and more reliable if the same id if used across multiple sources
Subject abbrev
Used to point a subject object to save space
<subjectAbbrev> <id>12345</id> <source>pennperson</source> </subjectAbbrev>
Role
Used to represent a role associated with the user and permissions
<role>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>users</name>
<displayName>Users</name>
</role>
Role lookup
Used to lookup a role
<roleLookup>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>users</name>
</roleLookup>
Permission resource
Resource assigned to a subject in the context of a role and action
<permission>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>org1</name>
<displayName>Org 1</displayName>
</permission>
Permission resource lookup
Lookup a permission resource
<permissionLookup>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>org1</name>
</permissionLookup>
Application
Collection of roles, permissions, etc
<application>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>paidTimeOff</name>
<displayName>Paid Time Off</displayName>
</application>
Application lookup
Lookup an application
<applicationLookup>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>paidTimeOff</name>
</applicationLookup>
Permission assignment
This object is returned from the permissions server
<permissionAssignment>
<permission>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>org1</name>
<displayName>Org 1</displayName>
</permission>
<action>read</action>
<role>
<namespace>
<folder>penn</folder>
<folder>apps</folder>
<folder>someApp</folder>
</namespace>
<name>users</name>
<displayName>Users</name>
</role>
<subjectAbbrev>
<id>12345</id>
<source>pennperson</source>
</subjectAbbrev>
<active>T|F</active>
<attributes>
<attribute>
<name>ipAddress</name>
<values>
<value>1.2.3.4</value>
</values>
</attribute>
</attributes>
</permissionAssignment>
sadf