RE: [sca-policy] ISSUE 57: Fine grain authorization intent

["Joshi, Kaanu" <Kaanu.Joshi@patni.com>]

Hi,

A new issue has been created in the SCA Policy TC JIRA. The link to this issue is http://www.osoa.org/jira/browse/POLICY-57.

Please add Rich Levinson's ID to the JIRA. I could not locate his ID and hence have assigned myself as the "Reporter" of this issue.

Regards,
Kaanu Joshi
Expect A Miracle!


-----Original Message-----
From: Rich.Levinson [mailto:rich.levinson@oracle.com]
Sent: Monday, June 30, 2008 7:02 AM
To: OASIS Policy
Subject: [sca-policy] NEW ISSUE: fine grain authorization intent (resend w editing reformatted)

TARGET: SCA Policy spec WD05

DESCRIPTION: at present, section 7.3 only contains
coarse grain authorization configuration capabilities
(role restrictions and authenticated-user restriction).

It is anticipated that application interface points,
in particular, specific operations, will need to be
able to call an authorization service. This would in
a number of ways be analogous to confidentiality
or integrity on messages, except the context would
probably be broader than just the message and include
user context, appl context, and system context as the
scope to which the policy would be applied. (For
example, time of day restrictions, or user must be
manager of the employee whose record is being accessed
restriction, or the usual, user must be over 21 years
old restriction.)

The details of exactly what form this authorization will
take place are not cast in concrete, however one
example is the XACML request response protocol, where the
PEP, which is typically the module that is handling
confidentiality and integrity type services, would also
handle the fine grain authorization services, except later
in the cycle, typically after the operation has actually
been entered and the relevant context available for
collection of the necessary attributes needed to apply
the fine grain authorization rules.

The suggestion at this point is only to provide a hook
for this capability, with the thought in mind that it
might be expanded later. For example, we might have
an intent called "finegrain" and possibly later extend
it to have qualified sub-intents like "finegrain.timeofday"
or "finegrain.mustbemanager", of "finegrain.ageover21check".
It would seem that an appl dev would often be able to
indicate that these kind of authorization checks would
be appropriate to apply, and that a finegrain intent
with specific qualifiers might be a good way to express
these requirements.

PROPOSAL: further discussion then concrete
    proposal if necessary


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


This e-mail message may contain proprietary, confidential or legally privileged information for the sole use of the person or entity to whom this message was originally addressed. Any review, e-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error kindly delete  this e-mail from your records. If it appears that this mail has been forwarded to you without proper authority, please notify us immediately at netadmin@patni.com and delete this mail.