- privileges, a generic model
- group, role and role hierarchies, draft proposal for MACE-wide model and definition
- Are the definitions in the glossary good enough or are their others that are more widely accepted?
- mace documents ( grouper) vs other standards groups
- Are the definitions in the glossary good enough or are their others that are more widely accepted?
- group, role and role hierarchies, draft proposal for MACE-wide model and definition
Groups/roles vs privileges
Applications have various access control needs to control which subjects have access to what. This is generally for applications which require authentication, though the authorization could also apply to anonymous subjects (who would get privileges from an anonymous role). There are several decisions for access control for applications including: groups vs roles, roles vs privileges vs hybrid, hard-coded privileges vs external privileges vs centralized privileges.
When applications protect resources by checking if the authenticated user is in a group, they are implicitly making a virtual role from the group. For example, if the application code checks if the authenticated user is in the institution's "student" group, in order for them to see the main screen of the application, then there is an implicit hard-coded privilege resource of "main-screen", and action "view", assigned to the role "studentUser", which is assigned to the group "student". Though it is referred to as security by group, it is actually a role.
Generally an application will have a handful or up to a couple of dozen roles. These roles are generally mapped to job function or affiliation. For example there could be roles for student, staff, instructor, admin, billingAdmin, anonymousUser, etc. Note that set of roles varies across applications as needed. Roles are used as a security template that multiple subjects can be assigned to for common access.
If not all subjects in a role have the exact same access, then they need personalized privileges assigned to them. The authorization system might assign privileges directly to the subject, or in the context of an application, or in the context of a role. Either way, the subject will have privileges that are different from other subject in their role. An example is to specify which data-sets the subject has access to when searching for data or running reports.
If there is no access control framework or central system, then hard-coding the privileges in the application might be the easiest way to code an application. An external privilege management system separated the privilege resources from the code, but still runs in the same application for that application. A central authorization system maintains the roles and privileges in a central location as middleware for multiple applications. External or centralized authorization gives the application run-time flexibility for changes in access control policy and authorization reporting. Centralized authorization systems can show subject's privileges across applications and can ease revocation. Certainly as auditing requirements increase, and sharing of access control policies across multiple applications, centralized authorization is required. If there is a common on-boarding workflow application, then centralized authorization can make the architecture more homogeneous.
When using externalized privileges, there are caching considerations. Caching can improve the performance of the application and reduce the dependencies of middleware components. If there are not real-time updates from the authorization system, then the privileges can become stale. When there are a lot of privilege resources and assignments which need to be checked, it is a good idea to cache the application's privileges for the entire user population, or for one user when the authenticate. If there are reports or queries which need to join available data with the allowed record types, the authorization information might need to be cached directly in the application's database. If there are limits on the authorizations, then it is more complicated then just a list of allowed action/resource pairs.
-
- Follow the attributes
- Are there really use cases when access requires realtime evaluation or is static evaluation or cached evaluations enough?
- Use cases using "presence detection" , is this person physically in a building or a room
- Use cases with quota evaluation, metering or rate limiting a for fee service?
- case studies
- attribute delivery recipe:
- SAML between IdP & SP
- SPML, XMPP ( grouper) for push provisioning
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- JMS or activeMQ ? AMQP as a wire protocol.
- XMPP is a messaging protocol that many institutions already run with known security and addressing standards
- LDAP , privilege registry or webservice for pull provisioning
- is there existing mace-dir work to build on?
- generalizing to federated scenarios and VOs
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- what are the special problems in namespace choice?
- The name/meaning of a privilege may reflect the policy intention of an organization or a virtual organization and may be applied to subset of either.
- Some architectures take the "CRUD" view where everything is mapped to create, read, update, delete on specific objects
- Some architectures use privilege names scoped to the resources they reference.
- examples
- urn:mace:edu:cmu:andrew:s3:field:ssn=read
- urn:mace:edu:cmu:andrew:s3:canreadssns
- http://www.cmu.edu/andrew/s3/fields/ssn/read
- The actual privilege may be represented differently by the policy enforcement points in an application or service or may be represented in multiple application for services
- Fifer using URIs e.g. group://prodGrouper.upenn.edu/penn/apps/directory/users would specify a group so would a privlege be
- privilege://accessmanager.andrew.cmu.edu/apps/s3/fields/ssn/read be the equivalent?
- what are the special problems in namespace choice?
- What is the namespace ( URIs vs URNs) and object characteristics for privileges
- authorization and access control
**case studies in production - rule-based access control
- Authorization Techniques and Strategies
**XACML , DROOLS, others
- Authorization Techniques and Strategies
- policy, a generic model
- P*P architectures: proposed models,
- Application policy, enterprise policy, VO policy
- case studies - bamboo
- P*P architectures: proposed models,
- Examples of access management in production
- performance issues and design tradeoffs
- Experience with commercial and open source offerings
- The Aegis Identity Management Suite based on open standards tools
- Delegation