[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [sca-policy] ISSUE 57: Fine grain authorization intent
Hi, A new issue has been created in the SCA Policy TC JIRA. The link to this issue is http://www.osoa.org/jira/browse/POLICY-57. Please add Rich Levinson's ID to the JIRA. I could not locate his ID and hence have assigned myself as the "Reporter" of this issue. Regards, Kaanu Joshi Expect A Miracle! -----Original Message----- From: Rich.Levinson [mailto:rich.levinson@oracle.com] Sent: Monday, June 30, 2008 7:02 AM To: OASIS Policy Subject: [sca-policy] NEW ISSUE: fine grain authorization intent (resend w editing reformatted) TARGET: SCA Policy spec WD05 DESCRIPTION: at present, section 7.3 only contains coarse grain authorization configuration capabilities (role restrictions and authenticated-user restriction). It is anticipated that application interface points, in particular, specific operations, will need to be able to call an authorization service. This would in a number of ways be analogous to confidentiality or integrity on messages, except the context would probably be broader than just the message and include user context, appl context, and system context as the scope to which the policy would be applied. (For example, time of day restrictions, or user must be manager of the employee whose record is being accessed restriction, or the usual, user must be over 21 years old restriction.) The details of exactly what form this authorization will take place are not cast in concrete, however one example is the XACML request response protocol, where the PEP, which is typically the module that is handling confidentiality and integrity type services, would also handle the fine grain authorization services, except later in the cycle, typically after the operation has actually been entered and the relevant context available for collection of the necessary attributes needed to apply the fine grain authorization rules. The suggestion at this point is only to provide a hook for this capability, with the thought in mind that it might be expanded later. For example, we might have an intent called "finegrain" and possibly later extend it to have qualified sub-intents like "finegrain.timeofday" or "finegrain.mustbemanager", of "finegrain.ageover21check". It would seem that an appl dev would often be able to indicate that these kind of authorization checks would be appropriate to apply, and that a finegrain intent with specific qualifiers might be a good way to express these requirements. PROPOSAL: further discussion then concrete proposal if necessary --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php This e-mail message may contain proprietary, confidential or legally privileged information for the sole use of the person or entity to whom this message was originally addressed. Any review, e-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error kindly delete this e-mail from your records. If it appears that this mail has been forwarded to you without proper authority, please notify us immediately at netadmin@patni.com and delete this mail.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]