# |
Issue |
Comment |
---|---|---|
1 |
Protocols |
What protocols should be supported for interactions between the PEPs within the relying party application and the PDP? OAuth? XACML? |
2 |
Integration |
It seems too complex to insist on call-outs to a PDP from each point within an application that needs to enforce some form of access control |
3 |
Groups |
Aren't groups enough? That is, practically speaking, an app can base most of its access control decisions on a set of group memberships that are made available in the SAML assertion at the time the user shows up. |
4 |
Entitlements |
An alternative to groups (which tend to put access control logic at the application end) is entitlements (which tend to put access control logic at the IdP end) |
5 |
Rules |
Are there situations in which it is beneficial to go beyond groups and entitlements and manage access via policy rules that are evaluated at the time the user seeks to perform a particular action on a particular resource? |
6 |
Prior art |
There are a number of software packages and defined processes with which rule-based access control could be implemented today |
7 |
BGP as analogue |
We need something like the Border Gateway Protocol (BGP) before we can ramp up support for distributed/federated authZ |
8 |
Policy Management |
How can we give people the ability to create and manage policies in an intuitive and easy way? |
9 |
User issues |
How do we let users know what resources they have access to? what the RP/SPs policy is? In general how to give the user appropriate control over the process |
10 |
Containers |
Change the containers, not the apps, then integration challenges are easier to deal with (Django/VOOT as an example) |