OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cloudauthz] attribute/role mapping

Because of the risk of being persecuted by the US law enforcement agencies, as was Aaron Swartz, I do think I can send these documents to the list. The best way to get them, if your company does not have a subscription to ACM, is either to pay $25 to ACM for each one, or to email the authors directly for free copies. Erik Rissensen is very active in XACML so he will gladly send you his paper <erik@axiomatics.com>. Joon Park is jspark@syr.edu and he has authored another two of them. I dont know the authors of the first paper



On 22/01/2013 15:37, Marian, Radu wrote:
Dear David,

Thank you for your insight/inquiry into "organizational roles vs. business process (aka workflow role)" and if the proposed entitlements model has a way to distinguish them.

I now understand your question.  Organizational roles based on Job Codes, Company Hierarchy, etc. are (will be) part of "Team Profile" topic.  The reason I did not show them - I wanted to get a lightly attributed entitlements model out - for discussion.  By default all the roles in the current entitlements model are Business Process / Workflow Roles.

Organizational roles seem to play a bigger role during Entitlement Assignment phase as well as during Access Provisioning.  So currently the "Identifier" topic does not have a relation to "Organization Role" (which does not exist) - so it may be problematic if during Run Time phases Organization Roles are to be checked.

Could you please provide links to the white papers you referenced below?  Are they freely available?

Radu Marian, MSCS, SCEA, CISSP
Bank of America - Charlotte, NC
VP, Architect 2, Enterprise Security Architecture
Business phone number: (704) 628-6874
an Enterprise without Ontology is like a country without a map.

-----Original Message-----
From: cloudauthz@lists.oasis-open.org [mailto:cloudauthz@lists.oasis-open.org] On Behalf Of David Chadwick
Sent: Monday, January 21, 2013 2:25 PM
To: cloudauthz@lists.oasis-open.org
Subject: [cloudauthz] attribute/role mapping

Dear All

Regarding the Entitlement Ontology diagram
I raised the issue of attribute or role mapping between the
organisational role that a user possesses and the business process role
that is needed to participate in the workflow.

Either the entitlement should contain the workflow role and the mapping
be done by the entitlement provider, or the entitlement contains the
organisational role and the mapping is done by the resource provider. In
our own research we are currently adding the latter approach to OpenStack.

There are a number of published papers that talk about this, e.g.

M. Coetzee and J.H.P. Eloff. Virtual Enterprise Access Control
Requirements. In Proceedings of the 2003 annual research conference of
the South African institute of computer scientists and information
technologists on Enablement through technology (SAICSIT), volume 47,
pages 285-294. ACM Press, 2003.

B. S. Firozabadi, O. Olsson, and E. Rissanen. Managing Authorisations in
Dynamic Coalitions. Technical report, Swedish Institute of Computer
Science, 2003.

M. H. Kang, J. S. Park, and J. N. Froscher. Access Control Mechanisms
for Inter-Organizational Workflow. In Proceedings of the sixth ACM
symposium on Access control models and technologies, pages 66-74,
Chantilly, Virginia, USA, May 2001. ACM Press.

J. S. Park, K. P. Costello, T. M. Neven, and J. A. Diosomito. A
Composite RBAC Approach for Large, Complex Organizations. In Proceedings
of the ninth ACM symposium on Access control models and technologies,
pages 163-172, Yorktown Heights, New York, USA, June 02-04 2004. ACM Press.



To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]