OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

sca-policy message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: NEW ISSUE: fine grain authorization intent

TARGET: SCA Policy spec WD05

DESCRIPTION: at present, section 7.3 only contains
coarse grain authorization configuration capabilities
(role restrictions and authenticated-user restriction).

It is anticipated that application interface points,
in particular, specific operations, will need to be
able to call an authorization service. This would 
in a number of ways be analogous to confidentiality
or integrity on messages, except the context would
probably be broader than just the message and include
user context, appl context, and system context as 
the scope to which the policy would be applied. (For
example, time of day restrictions, or user must be
manager of the employee whose record is being accessed
restriction, or the usual, user must be over 21 years
old restriction.) 

The details of exactly what form this authorization 
will take place are not cast in concrete, however one
example is the XACML request response protocol, where the
PEP, which is typically the module that is handling
confidentiality and integrity type services, would also
handle the fine grain authorization services, except later
in the cycle, typically after the operation has actually
been entered and the relevant context available for 
collection of the necessary attributes needed to apply
the fine grain authorization rules. 

The suggestion at this point is only to provide a hook
for this capability, with the thought in mind that it
might be expanded later. For example, we might have
an intent called "finegrain" and possibly later extend
it to have qualified sub-intents like "finegrain.timeofday"
or "finegrain.mustbemanager", of "finegrain.ageover21check".
It would seem that an appl dev would often be able to 
indicate that these kind of authorization checks would
be appropriate to apply, and that a finegrain intent
with specific qualifiers might be a good way to express
these requirements.

PROPOSAL: further discussion then concrete
	proposal if necessary

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]