Re: [cloudauthz] a definitino of 'Entitlement' - proposal

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi Mike

On 22/01/2013 14:45, Mike Poulin wrote:
> Hi David,
>
> what is incorrect with the concept of entitlement and why we should not
> use it (we stillhave not defined what is it)?

it depends on who issued it to the user (the actor I think in your 
terminology). If the resource owner issued it to the user, then it is a 
right (unless the resource owner has revoked it since issuing it, then 
it is no longer a right or entitlement to anything). But if another 
entity issued it to the user (such as an Identity Provider) then it does 
not automatically confer any right on the user.  This is why I am saying 
that entitlement is the wrong term to use.


> I am surprised - "the user provides an identity credential, which may or
> may not grant the user access to a resource"  - I never saw that simply
> identity performed an action and granted (or not) a right. I think, we
> need a more accurate expression here. What I saw is somebody or
> something granted or not granted a right to an Actor based on its
> identity (digital, biological, etc.)

and how was that identity asserted? I am saying it was via an identity 
credential issued to the user by an identity provider.



> I agree with "Entitlement is a right." However, this definition is
> incomplete, IMO, becuase if it is all, then why we need a term
> 'entitlement' instead of 'right'? I think, we have to include the Actor
> and the Resource into the definition of Entitlement.

By actor you presumably mean the user or principal who wants to access 
the resource.

regards

David
> What I wrote initially may be a definition of an Entitlement Solution.
>
> Thanks,
> - Michael Poulin
>
>
>
>
> > ----- Original Message -----
> >
> > From: David Chadwick
> >
> > Sent: 01/22/13 02:21 PM
> >
> > To: Mike Poulin
> >
> > Subject: Re: [cloudauthz] a definitino of 'Entitlement' - proposal
> >
> >
> >
> > I think the concept of entitlement is not the correct one and we should
> > not be using it. Rather, I think that the user provides an identity
> > credential, which may or may not grant the user access to a resource.
> >
> > Entitlement is a right. But the user's credential is not always a right.
> > The resource holder (the cloud service provider) can decide which
> > credentials it will accept and which it will not.
> >
> > regards
> >
> > David
> >
> >
> > On 22/01/2013 13:12, Mike Poulin wrote:
> > > Hello All,
> > >   here is a proposal for a definitino of Entitlement:
> > >
> > > An Entitlement is
> > >
> > >   * ·A concept of having a right to something or a guarantee of access
> > >     to something or based on established rights or by legislation. A
> > >     "right" is itself an entitlement associated with a moral or social
> > >     principle, such that an "entitlement" is a provision made in
> > >     accordance with the legal framework of a society.
> > >   * ·A process of on- and off-boarding an entitlement system, claiming
> > >     and assigning access rights, and administering the entitlement system
> > >   * ·A system (manual or automated) that physically realises the
> > >     entitlement process, keeps entitlement entries, maintains
> > >     permissions and access rights for as well as information about the
> > >     actors and resources covered by the entitlement
> > >
> > >
> > >
> > > Cheers,
> > > - Michael Poulin