OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cloudauthz] a definitino of 'Entitlement' - proposal

Hi Mike

On 22/01/2013 14:45, Mike Poulin wrote:
Hi David,

what is incorrect with the concept of entitlement and why we should not
use it (we stillhave not defined what is it)?

it depends on who issued it to the user (the actor I think in your terminology). If the resource owner issued it to the user, then it is a right (unless the resource owner has revoked it since issuing it, then it is no longer a right or entitlement to anything). But if another entity issued it to the user (such as an Identity Provider) then it does not automatically confer any right on the user. This is why I am saying that entitlement is the wrong term to use.

I am surprised - "the user provides an identity credential, which may or
may not grant the user access to a resource"  - I never saw that simply
identity performed an action and granted (or not) a right. I think, we
need a more accurate expression here. What I saw is somebody or
something granted or not granted a right to an Actor based on its
identity (digital, biological, etc.)

and how was that identity asserted? I am saying it was via an identity credential issued to the user by an identity provider.

I agree with "Entitlement is a right." However, this definition is
incomplete, IMO, becuase if it is all, then why we need a term
'entitlement' instead of 'right'? I think, we have to include the Actor
and the Resource into the definition of Entitlement.

By actor you presumably mean the user or principal who wants to access the resource.



What I wrote initially may be a definition of an Entitlement Solution.

- Michael Poulin

----- Original Message -----

From: David Chadwick

Sent: 01/22/13 02:21 PM

To: Mike Poulin

Subject: Re: [cloudauthz] a definitino of 'Entitlement' - proposal

I think the concept of entitlement is not the correct one and we should
not be using it. Rather, I think that the user provides an identity
credential, which may or may not grant the user access to a resource.

Entitlement is a right. But the user's credential is not always a right.
The resource holder (the cloud service provider) can decide which
credentials it will accept and which it will not.



On 22/01/2013 13:12, Mike Poulin wrote:
> Hello All,
>   here is a proposal for a definitino of Entitlement:
> An Entitlement is
>   * ·A concept of having a right to something or a guarantee of access
>     to something or based on established rights or by legislation. A
>     "right" is itself an entitlement associated with a moral or social
>     principle, such that an "entitlement" is a provision made in
>     accordance with the legal framework of a society.
>   * ·A process of on- and off-boarding an entitlement system, claiming
>     and assigning access rights, and administering the entitlement system
>   * ·A system (manual or automated) that physically realises the
>     entitlement process, keeps entitlement entries, maintains
>     permissions and access rights for as well as information about the
>     actors and resources covered by the entitlement
> Cheers,
> - Michael Poulin

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]