[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Defintion of "entitlement" in SAML
I must confess I have consciously steered this group (and its predecessor DeAnza) away from the use of this term. Here is why. An entitlement is essential a particular type of user attribute. Generally it is understood to be a user attribute that corresponds directly to enabling access to some resource. The modern tendancy is instead to assign user attributes which reflect organization roles or jobs and interpose a policy layer that grants access to specific resources using the user attribute among other inputs. This approach encapsulates different aspects of access control and is much more suitable for large scale systems. It is particularly important in federated environments. It also better reflects organizational and operational structure and is thus more likely to be succeessful in the long run than an approach that primarily reflects technological artifacts. This approach is reflected in the SAML (and now XACML) Domain Model and the structure of SAML Assertions. Here is an example. Entitlement approach: The code management system administrator gives Joe the Source Code Access entitlement. Encapsulated approach: The corporate security office gives Joe the means to authenticate himself. The IT division administrator identifies Joe with the Software Engineer attribute. The code management system administrator creates a policy that all Software Engineers are entitled to Source Code Access during normal business hours. Hal > -----Original Message----- > From: Sai Allavarpu [mailto:sai.allavarpu@sun.com] > Sent: Friday, October 05, 2001 1:43 PM > To: Eve L. Maler; security-services@lists.oasis-open.org > Subject: Defintion of "entitlement" in SAML > > > Is there a formal glossary or otherwise definition of the > term "entitlement" > in SAML or other OASIS standards? > > Thanks, > Sai. > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC