Privileges, a generic model

Please see the new version.

A Group is a collection of subjects.  An example of using a group without using authorization is an email list.  A Role is a collection of privileges that is shared by all subjects assigned to the role, which generally describes the subjects' affiliation, job function, or responsibility.  A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment.  The Action is the verb of the privilege assignment which allows a resource to be assigned to a subject in various ways without creating more resources .  For example SubjectA can view (action) the Math department data (resource).  A Privilege Assignment associates the subject with the actions and resources that they are allowed to perform.  A Limit is a condition on the privilege assignment which must be true at run-time for the privilege assignment to be allow.  Examples of limits are time of day, source IP address, amounts of approvals, etc.

Many of the parts of the privilege model can have inheritance from other objects.  The privilege management system might require the inheritance to be a hierarchy, or maybe it is required to be acyclic, or maybe it could be a directed graph. 

If the system allows a group to be added as a member of another group, then membership in a group implies membership to other groups.  Role inheritance means that privileges assigned to a role are inherited to other roles.  For instance, to reuse the definition of a role, a role SeniorLoanAdministrator could be allowed to do everything a LoanAdministrator can do, plus a few more privilege assignments.  Note that if there is role inheritance, it does not mean that a subject assigned to SeniorLoanAdministrator is also assigned to role LoanAdministrator.  Inheritance on actions means that assigning an action to a subject for a resource also implies that subject has other actions on that resource.  For instance, subjects with Action<Write> on a resource might also implicitly be able to Action<Read> the resource.  In other cases, the read action might need to be assigned separately from write.

Resource inheritance means that subjects which are assigned an action on a resource have other implied resources for that action (and inherited actions).  An institution's organization chart or course structure could be modeled as privilege resources.  Instructors could be granted privileges on individual courses, and deans could be granted privilege actions on entire departments or schools.  Sometime a resource which implies other resources is referred to as a role, however, it might be that the bundle of resources qualifies a role instead of defines a new role.

Groups, roles, privileges, and external authorization

Applications have various access control needs to control which subjects have access to what.  This is generally for applications which require authentication, though the authorization could also apply to anonymous subjects (who would get privileges from an anonymous role).  There are several decisions for access control for applications including:  groups vs roles, roles vs privileges vs hybrid, hard-coded privileges vs external privileges vs centralized privileges.

When applications protect resources by checking if the authenticated user is in a group, they are essentially using a group as if it were a role.  For example, if the application code checks if the authenticated user is in the institution's "student" group, in order for them to see the main screen of the application, then there is an implicit hard-coded privilege resource of "main-screen", and action "view", assigned to the role "studentUser", which is assigned to the group "student".  Though it is referred to as security by group, it is actually a role.

Generally an application will have a handful or up to a couple of dozen roles.  These roles are generally mapped to job function or affiliation.  For example there could be roles for student, staff, instructor, admin, billingAdmin, anonymousUser, etc.  Note that set of roles varies across applications as needed.  Roles are used as a security template that multiple subjects can be assigned to for common access.

If not all subjects in a role have the exact same access, then they need personalized privileges assigned to them.  The authorization system might assign privileges directly to the subject, or in the context of an application, or in the context of a role.  Either way, the subject will have privileges that are different from other subjects assigned to the same role.  An example is to specify which data-sets the subject has access to when searching for data or running reports.  If the authorization system supports applications with subjects which select one role at a time to use the application, then individual privileges should be able to be assigned in context of one role.  The subject will not need to have elevated privileges at all times, and thus will be less likely to accidentally perform tasks that only the elevated role can perform.

If there is no access control framework or central system, then hard-coding the privileges in the application might be the easiest way to code an application.  An external privilege management system separated the privilege resources from the code, but still runs in the same application for that application.  A central authorization system maintains the roles and privileges in a central location as middleware for multiple applications.  External or centralized authorization gives the application run-time flexibility for changes in access control policy and authorization reporting.  Centralized authorization systems can show subject's privileges across applications and can ease revocation.  Certainly as auditing requirements increase, and sharing of access control policies across multiple applications, centralized authorization is required.  If there is a common on-boarding workflow application, then centralized authorization can make the architecture more homogeneous.

When using externalized privileges, there are caching considerations.  Caching can improve the performance of the application and reduce the dependencies of middleware components.  If there are not real-time updates from the authorization system, then the privileges can become stale.  When there are a lot of privilege resources and assignments which need to be checked, it is a good idea to cache the application's privileges for the entire user population, or for one user when the authenticate.  If there are reports or queries which need to join available data with the allowed record types, the authorization information might need to be cached directly in the application's database.  If there are limits on the authorizations, then it is more complicated then just a list of allowed action/resource pairs.

Access control policy management

Using Paccman terminology, a generic access policy statement P reads

P <==> Subject S in Role Ro can perform Action A on Resource Rs constrained by Limits L


Abstract Definitions of Policy Elements:

Test of above definitions: