Representing Authorization Model

I read xacml [James McGovern] entry around representing the authorization model. He has raised a great point on how to translate the authorization use-case narratives in to a simple representations. So far based on the various conversations around the authorization models, I have not been able to find a way to represent the complete authorization model as a diagram. The simple reason being that at the core of the authorization model are business rule and it is tough to represent them as diagram. Let me elaborate on that.

Basically, when you start looking at the authorization use-cases, at a very high level the following components typically form the part of the authorization data model

  1. Users and their organization into groups, roles, client organization, etc
  2. Resources and their organization into hierarchy, groups, etc
  3. Actions and probably some form of their organization
  4. Attributes of the user, resources (and may be actions), environment that help perform fine grained evaluation
  5. Policies which are the business rules (i.e. a combination of corporate, LOB, application security rules) that bring together the user, resource, actions, their organizations and attributes.

The items 1-4 can probably be represented as diagram (but I still have reservations about representing the business logic for complex organization memberships). Incase of 5, some of the simple like ACLs may be represented using the diagrams. But when it comes to complex rule-based access control, the basic question is how do you represent business rules in diagram? Most of the places that I have seen, the business rules are represented using language and not as diagram (but I am not an expert in business rule representation and would love some pointers in this direction).

Can we use XACML for this purpose? The way I see it, XACML as it stands right now is way too simplistic. It is not appropriate to represent complex authorization patterns satisfactorily. I may get beaten up on this, but I think XACML at this time is more like SOAP of old days without any of the WS-* specifications to standardize the basic cross-cutting requirements. I think over time, through the various profiles (hopefully which are pretty intuitive), we would be able to standardize on more complex patterns which will help us represent the complex authorization models as diagram.

Besides that a very good point raised is around the requirement of mapping the existing authorization model to vendor data model (referred to as reverse engineering if I understood correctly). Now this is a very tricky subject since there is no right way to perform the mapping. Most of the time the application authorization data model  is not built around the simple user, role, resource, action system (unless the architects were really building under the constraints of following that model and the business requirements were simple enough) that automatically translates to the model provided by most of the vendors. The actual translation of the application model to vendor specific model (which vary in their richness and complexity a lot) is dependent on various constraints like

  1. Manageability requirements
  2. Data location and synchronization
  3. Authorization Queries that need to be fulfilled now and in future
  4. flexibility required in the future
  5. performance of vendor functionality being used
  6. and so on....

So, to reiterate there is no single way to transform Application authorization model to a Vendor specific data model and so coming up with a methodology which takes into consideration the various possible issues (like some specified above) is the best way to do it. 

My thought process at this point may look very pessimistic but would love to hear thoughts on this and would like to be part of any initiative that tries to solve this issue.

Thoughts and Next Steps?  

Comments

Post a Comment

Popular posts from this blog

Vendor List

Updated: November 12 2006 I am trying to come up with the list of vendors and associated products in the Identity and Access Management arena. Please note that this list is based on marketing/public information and my understanding of the terms which may not comply with any specific groups' definitions and/or requirements. This is by no means a complete list and will keep growing as I get more time to add them and find more companies (any help on that front will be really appreciated). Before we go further along, lets try to define what each of these product typically do so that my mode of classification may make sense or any flaw in my classfication will become apparant. Identity Management/User Provisioning These products typically provide the facility of Workflow-based Identity provisioning, password reset, identity reconciliation/discovery, delegated identity administration and self-service features on wide variety of identity platforms (like LDAP, Unix, Windows, Mainfra
Read more

2006 Prediction - Recap

Seems like the 2006 Prediction season is over and so I thought that I will try to capture the various predictions in Identity Management space that I came across. ( Nick at WickID ) Host/Mutual authentication will be critical. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies). - I am assuming that means machine authentication besides user authentication something similar to that from Passmark and Trusted Network Technology . This makes sense and will really be looking forward to various non-intrusive and intrusive technology in this space. Transaction authentication will become a hot topic later in the year due to session hijacking trojans. - I think people like Bruce Schneier have already been talking about this. An important aspect of transaction authentication is that it needs to be pervasive instead of just being limited to online experience. Besides that the technology that would actually help achieve this should be va
Read more

Understanding IAM Technology: Web Single Sign On (Web SSO) Part I - Introduction and Use Case Definition

Image
Update September 6, 2015: Part II in the series is now available . Update August 19,2006: I am rewriting this entry based on the methodology I am using for some of other domains. Hopefully, the new methodology would make it more useful to some of you. I talk to a lot of people from developer background who still do not have a good background in the IAM technology. Eventhough there is a lot of information on the web, I have felt a lack of good technological discussion on the various component that  actually form the IAM domain. Some of the good sources for the information on IAM are Microsoft Identity and Access Management Series Archie Reed Oracle Federated Identity Buyers guide Oracle Identity Management Buyer's Guide Identity Management Dissected Most of these document discuss the basic concepts but do not extend it to existing technologies and how it applies to them. This series is an attempt to look at the technology behind the Identity and access manage
Read more