OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cloudauthz] attribute/role mapping

Hi Folks,
 I have posted a presentation with my thoughts about an Entitleement Model and my notes re Radu's diagram into the CloudAuthZ document repository on OASIS Site (next to the Radu's documents): https://www.oasis-open.org/apps/org/workgroup/soa-rm-ra/documents.php

I think, there are a lot of point for our discussion.

Thanks,
- Michael

 

----- Original Message -----

From: Marian, Radu

Sent: 01/22/13 03:37 PM

To: David Chadwick, cloudauthz@lists.oasis-open.org

Subject: RE: [cloudauthz] attribute/role mapping


 
Dear David, 

Thank you for your insight/inquiry into "organizational roles vs. business process (aka workflow role)" and if the proposed entitlements model has a way to distinguish them. 

I now understand your question.  Organizational roles based on Job Codes, Company Hierarchy, etc. are (will be) part of "Team Profile" topic.  The reason I did not show them - I wanted to get a lightly attributed entitlements model out - for discussion.  By default all the roles in the current entitlements model are Business Process / Workflow Roles. 

Organizational roles seem to play a bigger role during Entitlement Assignment phase as well as during Access Provisioning.  So currently the "Identifier" topic does not have a relation to "Organization Role" (which does not exist) - so it may be problematic if during Run Time phases Organization Roles are to be checked. 

Could you please provide links to the white papers you referenced below?  Are they freely available? 

Regards, 
Radu Marian, MSCS, SCEA, CISSP 
Bank of America - Charlotte, NC 
VP, Architect 2, Enterprise Security Architecture                                                 
Business phone number: (704) 628-6874 
an Enterprise without Ontology is like a country without a map. 

-----Original Message----- 
From: cloudauthz@lists.oasis-open.org [mailto:cloudauthz@lists.oasis-open.org] On Behalf Of David Chadwick 
Sent: Monday, January 21, 2013 2:25 PM 
To: cloudauthz@lists.oasis-open.org 
Subject: [cloudauthz] attribute/role mapping 

Dear All 

Regarding the Entitlement Ontology diagram 
(https://www.oasis-open.org/apps/org/workgroup/cloudauthz/download.php/47813/entitlement.ontology.png) 
I raised the issue of attribute or role mapping between the 
organisational role that a user possesses and the business process role 
that is needed to participate in the workflow. 

Either the entitlement should contain the workflow role and the mapping 
be done by the entitlement provider, or the entitlement contains the 
organisational role and the mapping is done by the resource provider. In 
our own research we are currently adding the latter approach to OpenStack. 

There are a number of published papers that talk about this, e.g. 

M. Coetzee and J.H.P. Eloff. Virtual Enterprise Access Control 
Requirements. In Proceedings of the 2003 annual research conference of 
the South African institute of computer scientists and information 
technologists on Enablement through technology (SAICSIT), volume 47, 
pages 285-294. ACM Press, 2003. 

B. S. Firozabadi, O. Olsson, and E. Rissanen. Managing Authorisations in 
Dynamic Coalitions. Technical report, Swedish Institute of Computer 
Science, 2003. 

M. H. Kang, J. S. Park, and J. N. Froscher. Access Control Mechanisms 
for Inter-Organizational Workflow. In Proceedings of the sixth ACM 
symposium on Access control models and technologies, pages 66-74, 
Chantilly, Virginia, USA, May 2001. ACM Press. 

J. S. Park, K. P. Costello, T. M. Neven, and J. A. Diosomito. A 
Composite RBAC Approach for Large, Complex Organizations. In Proceedings 
of the ninth ACM symposium on Access control models and technologies, 
pages 163-172, Yorktown Heights, New York, USA, June 02-04 2004. ACM Press. 

regards 

David 

--------------------------------------------------------------------- 
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at: 
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

---------------------------------------------------------------------- 
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message. 

--------------------------------------------------------------------- 
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at: 
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]