[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NEW ISSUE: fine grain authorization intent
TARGET: SCA Policy spec WD05 DESCRIPTION: at present, section 7.3 only contains coarse grain authorization configuration capabilities (role restrictions and authenticated-user restriction). It is anticipated that application interface points, in particular, specific operations, will need to be able to call an authorization service. This would in a number of ways be analogous to confidentiality or integrity on messages, except the context would probably be broader than just the message and include user context, appl context, and system context as the scope to which the policy would be applied. (For example, time of day restrictions, or user must be manager of the employee whose record is being accessed restriction, or the usual, user must be over 21 years old restriction.) The details of exactly what form this authorization will take place are not cast in concrete, however one example is the XACML request response protocol, where the PEP, which is typically the module that is handling confidentiality and integrity type services, would also handle the fine grain authorization services, except later in the cycle, typically after the operation has actually been entered and the relevant context available for collection of the necessary attributes needed to apply the fine grain authorization rules. The suggestion at this point is only to provide a hook for this capability, with the thought in mind that it might be expanded later. For example, we might have an intent called "finegrain" and possibly later extend it to have qualified sub-intents like "finegrain.timeofday" or "finegrain.mustbemanager", of "finegrain.ageover21check". It would seem that an appl dev would often be able to indicate that these kind of authorization checks would be appropriate to apply, and that a finegrain intent with specific qualifiers might be a good way to express these requirements. PROPOSAL: further discussion then concrete proposal if necessary
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]