OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cloudauthz] Use Case Submission: Context Driven Entitlements

Mike,
  thanks for your feedback.

Regards,
Anil

On 03/11/2013 02:59 PM, mpoulin@usa.com wrote:
Sorry, Folks, I was on holidays and missed the meeting.

I have a few questions to the submitted Use Case 1:

1) since when a context, i.e. a surrounding, includes the subject, resource and actor? Isn't here a mixture of terms?

2) what does mean 'environment'; how is it defined? [How can we write Use Cases before defining terms?]

3) Is "In a Cloud Computing Environment, access decisions need to be made based on the context"   a story or a solution? For 20 years of delaing with entitlement in the USA and UK, I never heard that "access decisions need to be made based on the context". I'd understand "... based on policies". Can we have a different wording for this part of the case?

4) I do not understand this story. What is the story? What the actor is doing with wat (otherwise, it is not a use-case). What tasks come out of the story?

5) The ** Goal or Desired Outcome ** is not formulated in the manner of 'goal'. Can we make it clear? (Where "a repository or service" came from? They were not mentioned in the "story").

6) What does mean ** Categories Covered **? Covered by what? Where "Account and Attribute Management. (Provisioning) - Audit and Compliance" came from? There is no logic in this English text! (It is impossible to work together if instead of writing things down someone assumes that others can read out of his head).

7) All ** Categories Covered **, ** Applicable Deployment and Service Models **, ** Actors **, ** Notable Services **, must be articulated in the "story" or clearly assigned to the _solution_ section (including** Assumptions ** and ** Process Flow **). Otherwise, it is impossible to understand what is given, what is proposed as a solution and how it may be realised. So far, it is a total mess.

8) Strictly speaking in UML terms, the ** Process Flow ** is NOT a use case but Activity or Interaction model. Cloud Authorization Service and Cloud Entitlement Service came from nowhere.

9) I think that the following flow violates Security 101: "...The Cloud Entitlement Service returns a set of permissions. The Cloud Authorization Service does the access check based on the entitlements" - the permissions of the user may be intersepted between Cloud Authorization Service and Cloud Entitlement Service.

I do not think that this solution requires 2 services: Cloud Authorization Service should be able to reach entitlement resource and act a) as a PDP; b) as a PEP. That is, no permissions shoud be exposed outside of the requesting Cloud Authorization Service at all; all desicions should be made inside the Cloud Authorization Service.

This is not a Use-case, this is a partially articulated task and a _solution_.

- Michael Poulin 
 
 

 






 

----- Original Message -----

From: Anil Saldhana

Sent: 03/01/13 08:16 PM

To: cloudauthz@lists.oasis-open.org

Subject: [cloudauthz] Use Case Submission: Context Driven Entitlements

  
Submitter: Anil Saldhana, Red Hat Inc. 
Version: 1 

Use Case 1: Context Driven Entitlements 

** Description/User Story ** 

In a Cloud Computing Environment, access decisions need to be made based 
on the context. The context includes the subject, the resource, the action 
, the environment and attributes of each of these. Access Decisions can be 
made if entitlements or permissions the subject has, can be obtained. 

** Goal or Desired Outcome ** 

Entitlements or permissions of a subject during an access decision check 
can be 
obtained from a repository or service. 


** Categories Covered ** 

- Authorization. 
- Account and Attribute Management. (Provisioning) 
- Audit and Compliance. 

** Applicable Deployment and Service Models ** 

- All Cloud Deployment Models (Private, Public, Community and Hybrid) 
- All Service Models (SaaS, Paas and Iaas) 


** Actors ** 
- Cloud User. 
- Cloud Resource. 

** Notable Services ** 

- Cloud Authentication Service. 
- Cloud Authorization Service. 
- Cloud Entitlement Service. 


** Dependencies ** 
N/A 

** Assumptions ** 

- Entitlements or permissions for a subject are stored in a repository 
or can be obtained from an external service. 

** Process Flow ** 
A Cloud User tries to access a Cloud Resource. The Cloud Authorization 
Service tries to determine if the Cloud User 
has access to the Cloud Resource. The Cloud Authorization Service needs 
the permissions or the entitlements the Cloud 
User has. It asks a Cloud Entitlement Service for the permissions or 
entitlements the Cloud User has for the particular 
Cloud Resource, for the particular action and the environment such as IP 
Address, DateTime etc. The Cloud Entitlement 
Service returns a set of permissions. The Cloud Authorization Service 
does the access check based on the entitlements. 

--------------------------------------------------------------------- 
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at: 
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

 


 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]