Mike,
thanks for your feedback.
Regards,
Anil
On 03/11/2013 02:59 PM, mpoulin@usa.com wrote:
Sorry,
Folks, I was on holidays and missed the meeting.
I have a few questions to the submitted Use Case 1:
1) since when a context, i.e. a surrounding, includes the
subject, resource and actor? Isn't here a mixture of terms?
2) what does mean 'environment'; how is it defined? [How can
we write Use Cases before defining terms?]
3) Is "In a Cloud Computing Environment, access decisions need
to be made based on the context" a story or a solution? For
20 years of delaing with entitlement in the USA and UK, I
never heard that "access decisions need to be made based on
the context". I'd understand "... based on policies". Can we
have a different wording for this part of the case?
4) I do not understand this story. What is the story? What the
actor is doing with wat (otherwise, it is not a use-case).
What tasks come out of the story?
5) The ** Goal or Desired Outcome ** is not formulated in the
manner of 'goal'. Can we make it clear? (Where "a repository
or service" came from? They were not mentioned in the
"story").
6) What does mean ** Categories Covered **? Covered by what?
Where "Account and Attribute Management. (Provisioning) -
Audit and Compliance" came from? There is no logic in this
English text! (It is impossible to work together if instead of
writing things down someone assumes that others can read out
of his head).
7) All ** Categories Covered **, ** Applicable Deployment and
Service Models **, ** Actors **, ** Notable Services **, must
be articulated in the "story" or clearly assigned to the
_solution_ section (including** Assumptions ** and ** Process
Flow **). Otherwise, it is impossible to understand what is
given, what is proposed as a solution and how it may be
realised. So far, it is a total mess.
8) Strictly speaking in UML terms, the ** Process Flow ** is
NOT a use case but Activity or Interaction model. Cloud
Authorization Service and Cloud Entitlement Service came from
nowhere.
9) I think that the following flow violates Security 101:
"...The Cloud Entitlement Service returns a set of
permissions. The Cloud Authorization Service does the access
check based on the entitlements" - the permissions of the user
may be intersepted between Cloud Authorization Service and
Cloud Entitlement Service.
I do not think that this solution requires 2 services: Cloud
Authorization Service should be able to reach entitlement
resource and act a) as a PDP; b) as a PEP. That is, no
permissions shoud be exposed outside of the requesting Cloud
Authorization Service at all; all desicions should be made
inside the Cloud Authorization Service.
This is not a Use-case, this is a partially articulated task
and a _solution_.
- Michael Poulin
-----
Original Message -----
From:
Anil Saldhana
Sent:
03/01/13 08:16 PM
To:
cloudauthz@lists.oasis-open.org
Subject:
[cloudauthz] Use Case Submission: Context Driven
Entitlements
Submitter: Anil Saldhana, Red Hat Inc.
Version: 1
Use Case 1: Context Driven Entitlements
** Description/User Story **
In a Cloud Computing Environment, access decisions need to be made based
on the context. The context includes the subject, the resource, the action
, the environment and attributes of each of these. Access Decisions can be
made if entitlements or permissions the subject has, can be obtained.
** Goal or Desired Outcome **
Entitlements or permissions of a subject during an access decision check
can be
obtained from a repository or service.
** Categories Covered **
- Authorization.
- Account and Attribute Management. (Provisioning)
- Audit and Compliance.
** Applicable Deployment and Service Models **
- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- All Service Models (SaaS, Paas and Iaas)
** Actors **
- Cloud User.
- Cloud Resource.
** Notable Services **
- Cloud Authentication Service.
- Cloud Authorization Service.
- Cloud Entitlement Service.
** Dependencies **
N/A
** Assumptions **
- Entitlements or permissions for a subject are stored in a repository
or can be obtained from an external service.
** Process Flow **
A Cloud User tries to access a Cloud Resource. The Cloud Authorization
Service tries to determine if the Cloud User
has access to the Cloud Resource. The Cloud Authorization Service needs
the permissions or the entitlements the Cloud
User has. It asks a Cloud Entitlement Service for the permissions or
entitlements the Cloud User has for the particular
Cloud Resource, for the particular action and the environment such as IP
Address, DateTime etc. The Cloud Entitlement
Service returns a set of permissions. The Cloud Authorization Service
does the access check based on the entitlements.
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|