RE: [cloudauthz] a definitino of 'Entitlement' - proposal

["Barbir, Abbie" <abbie.barbir@bankofamerica.com>]

Mike

We do most of the work on email lists so please feel free to post your views

 

regards

 

From: cloudauthz@lists.oasis-open.org [mailto:cloudauthz@lists.oasis-open.org] On Behalf Of Mike Poulin
Sent: Tuesday, January 22, 2013 9:34 AM
To: Smith, Thomas C.; cloudauthz@lists.oasis-open.org
Subject: RE: [cloudauthz] a definitino of 'Entitlement' - proposal

 

Hi All,

I am not sure if we are assumed to debate via e-mail. With apologies, let me comment on the Tom's definition (and Tom is certainly welcome to comment on mine). If it is not right movement on my side, please, let me know.

1) IMO, a statement " An entitlement is what you get by virtue" does not expalin what entitlement is actually is.

2) Entitlement does not necessary assume an embedded action of verification of what implies; sometimes this action is performed preliminary and 'entilement' appears in its final state - a guarantee of access to something.

3) yes, "privilege is the consequence of applying policy to entitlement(s)", not the entitlement itself. However, aforementioned verification action may be a part of Entitlement Process that leads to actual Entilement. This process is very important indeed.

4) in my practice, a Resource owner did not always control the policy and the access; in many cases the resource owner was not even aware about who and how consumed the Resource.

Example of control of policy with no control of Actor's access action: public SOA Services (not Web Services or REST); implicit Service Contract (according to OASIS SOA RAF spec) does not require any additional controls to access the  Service beside the policies publicly announced in the Service Description. So, an assumption of the owner's control depends on the owner and the Rersource and cannot be a genaral case.

Example of no control over access policy: a) an explicit SOA Service Contract is owned by both consumer and service (Resource) owner; b) if a Service publishes a public interface that is not mentioned in the Service Contract with particular consumer, the later can access this interface regardless owner's policy. This does not mean that the consumer will gain expected result but it does not prevent the access action.

Thank you,
- Michael Poulin

 

----- Original Message -----

From: Smith, Thomas C.

Sent: 01/22/13 01:52 PM

To: Mike Poulin, cloudauthz@lists.oasis-open.org

Subject: RE: [cloudauthz] a definitino of 'Entitlement' - proposal

 

All,

 

 

So here’s my two cents…

 

 

An entitlement is what you get by virtue of membership regardless of how it’s obtained (birth, grant, activity, etc.). It implies, but does not guarantee or even specify privilege (where privilege is allowing a subject’s requested resource action in a given context).  To say it another way, privilege is the consequence of applying policy to entitlement(s). This separation of concerns is very important because the resource owner controls the policy, not the entitlement manager. So if you bind them in the design then it will not scale across resource owners that don’t have the same policy set.

 

 

-tom

 

 

 

 

 

From: cloudauthz@lists.oasis-open.org [mailto:cloudauthz@lists.oasis-open.org] On Behalf Of Mike Poulin
Sent: Tuesday, January 22, 2013 8:12 AM
To: cloudauthz@lists.oasis-open.org
Subject: [cloudauthz] a definitino of 'Entitlement' - proposal

 

 

 

 

 

Hello All,
 here is a proposal for a definitino of Entitlement:

 

 

An Entitlement is

 

 

• ·         A concept of having a right to something or a guarantee of access to something or based on established rights or by legislation. A "right" is itself an entitlement associated with a moral or social principle, such that an "entitlement" is a provision made in accordance with the legal framework of a society.

 

• ·         A process of on- and off-boarding an entitlement system, claiming and assigning access rights,  and administering the entitlement system

 

• ·         A system (manual or automated) that physically realises the entitlement process, keeps entitlement entries, maintains permissions and access rights for as well as information about the actors and resources covered by the entitlement

 

Cheers,
- Michael Poulin

 

 

 

 

---

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.