OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Defintion of "entitlement" in SAML

I must confess I have consciously steered this group (and its predecessor
DeAnza) away from the use of this term. Here is why.

An entitlement is essential a particular type of user attribute. Generally
it is understood to be a user attribute that corresponds directly to
enabling access to some resource. The modern tendancy is instead to assign
user attributes which reflect organization roles or jobs and interpose a
policy layer that grants access to specific resources using the user
attribute among other inputs. 

This approach encapsulates different aspects of access control and is much
more suitable for large scale systems. It is particularly important in
federated environments. It also better reflects organizational and
operational structure and is thus more likely to be succeessful in the long
run than an approach that primarily reflects technological artifacts. This
approach is reflected in the SAML (and now XACML) Domain Model and the
structure of SAML Assertions.

Here is an example.

Entitlement approach:

The code management system administrator gives Joe the Source Code Access
entitlement.

Encapsulated approach:

The corporate security office gives Joe the means to authenticate himself.
The IT division administrator identifies Joe with the Software Engineer
attribute.
The code management system administrator creates a policy that all Software
Engineers are entitled to Source Code Access during normal business hours.

Hal

> -----Original Message-----
> From: Sai Allavarpu [mailto:sai.allavarpu@sun.com]
> Sent: Friday, October 05, 2001 1:43 PM
> To: Eve L. Maler; security-services@lists.oasis-open.org
> Subject: Defintion of "entitlement" in SAML
> 
> 
> Is there a formal glossary or otherwise definition of the 
> term "entitlement"
> in SAML or other OASIS standards?
> 
> Thanks,
> Sai.
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC