[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Use Case Submission: Attribute and Provider Reliability Indexes
Submitter: Darran Rolls, SailPoint Title:
Employing
a “Reliability Index” in federated policy decision flows Abstract:
When designing
a policy within a federated authorization system, the policy
designer places a
high degree of overall system integrity in the ‘quality” of the
attributes used
in a given policy decision. The
active exchange
of attributes and data between relying parties in distributed
cloud / federated
authorization systems, makes it hard to design policies that
allow for the
varying levels of controls & assurance placed around
attribute management
lifecycle controls. Goal or Desired Outcome The policy author is
able to define a
policy that allows for the real-time assessment of the
reliability of an attribute
provider or the individual reliability for any attribute it
provides. This allows
for varying levels of access
control policy to be applied dependent on the value of the
reliability index
retrieved for the provider and/or its attributes. When
reliability is low, the
policy author defines more approval/controls and less access for
the same
decision matrix, applied to the same set of identity attributes.
This should allow for
better decisions to be
made. Applicable Deployment and Service Models This user story applies
to the
following cloud deployment and service models Cloud Deployment Models:
Private, Public,
Community, Hybrid Actors The Attribute
Authority The Policy
Author The Policy
Decision Point Systems TBD Notable Services TBD Assumptions 1. An
operating
trust model exits within a federated access authorization
system. The overall
system is appropriately
configured to allow for policy decision flows in accordance with
the use case. 2. More
TDB… Process Flow The POLICY_AUTHOR writes
a policy that
only provides access to PROTECTED_RESOURCE if the SPECIFIC
_SUBJECT is OVER_21. The ATTRIBUTE_PROVIDER
asserts that
SPECIFIC_SUBJECT is over 21 and carries out a physical driving
license
inspection and an in person interview.
ATTRIBUTE_PROVIDER places a very high
ATTRIBUTE_RELIABIITY_INDEX to its
OVER_21 attribute due to its strong internal control procedures. In this case, the
ATTRIBUTE_PROVIDER is
awarded a high PROVIDER_RELIABIITY_INDEX because it is the Texas
DMV and is the
actual issuer of the driving license in question. When OVER_21 is true and
either of the ATTRIBUTE_RELIABIITY_INDEX
or the PROVIDER_RELIABIITY_INDEX are high, the SPECIFIC_SUBJECT
is provides direct
access to PROTECTED_RESOURCE. If
either
the ATTRIBUTE_RELIABIITY_INDEX or the PROVIDER_RELIABIITY_INDEX
are not high, then
SPECIFIC_SUBJECT is asked to confirm their age before being
provided access to
PROTECTED_RESOURCE. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]