1. Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004

2. 2 The Authorization Space As everyone knows by now: ● “Authentication says who you are, authorization says what you can do.” OK as a tag line, but not for architecture... A higher-level definition: ● configuration and operation of systems so actions in support of organizational goals are permitted and other actions are prohibited... or: ● representation and enforcement of organizational policy in software systems ● covers all scales from macro-level policy (“comply with HIPAA”) to micro-level (“user X can access file Y”)

3. 3 The Infrastructure Portfolio Today's common core infrastructure components: ● Base identity management (for persons/subjects) ● Authentication service ● Directory/attribute service The coming generation: ● Organization and group management ● Privilege/authority management ● Authorization service ● Provisioning service ● Event service (aka message-oriented middleware) ● Workflow...

4. 4 Core Middleware

5. 5 The Basic Access-control Scenario client-server access, session-based ● server controls access to resource ● client (or peer) connects to server, authenticates as some subject ● result of authentication is “security context” ● and a session associated with that context ● further operations in session take place in that context ● security attributes of subject are obtained, added to context ● for example, group memberships ● “userid” (or subject name) is one among many possible attributes ● client requests operation on a resource ● server must answer the access-control question: ● is this operation on this resource by this subject permitted?

6. 6 The Access-control Decision Inputs are ● the session security context ● the policy applicable to the resource ● any other relevant security attributes of the subject ● environment (time of day, load, etc) Output is: yes or no ● there are more complicated policy scenarios too ● e.g., output is “how much” or “yes, and also do X” Where do all these policies and attributes come from? ● this is “authorization (or policy) management” ● many components support server's ability to make its decision

7. 7 Outsourced App Example (Signet + Shibboleth) Classic outsourcing hard on both ASP and campus ASP must provide admin interface, campus must enter data Shibboleth provides campus-based SSO to ASP use of campus-managed attributes negotiable With Shib + Signet campus, ASP decide on attributes sent via SAML atomic attribute-value pairs, or full XML documents campus manages these with Signet infrastructure-rich services delegation, proxy, auditing, common UI, org structure, conditions ASP gets user attributes at sign-on no batch delays, but app must be dynamic

8. 8 Signet + Grouper Group and privilege management: why separate? groups not just about authorization privilege management useful without groups campus may have existing group or privilege service defining interaction via API is good discipline Why together? seamless user experience potentially complicated interactions between them Signet manages permissions on Grouper directories show “what can this user do” in Signet, including group-based perms generate per-user permissions for provisioning including group-based

9. 9 Signet + Provisioning Provisioning refers to setup of user accounts, etc, in application systems if all apps were fully dynamic and infra-service-reliant, provisioning might not be necessary... Signet-managed privileges typically are provisioned e.g., conditions evaluated, rules checked, translations done before the priv info is pushed into the app how much to “cook” in Signet is per-application issue Signet may also feed directory, accessed dynamically by app

10. 10 Signet + Authorization Service “authorization decision service or “policy decision point” app sends request-for-decision, including context, etc “decision engine” accesses policy, attributes, etc, produces and returns yes/no decision examples: Spocp, XACML no one can or should write authz expressions manually Signet can export “permission document” transformable into native expression format supplemented by other decision-time info Signet->Spocp translator available

11. 11 PEP-PDP Model Policy Enforcement Point Policy Decision Point Request Resource Decision Request Decision Response Policy Store(s) Attribute Store(s) Context

12. 12 Signet + Workflow Popular current admin-space requirement define business processes route work items through processes assign people to roles in processes integrate processes into app systems If workflow is mostly about privilege management... good privilege management system may fill the need instead Privilege-management can provision workflow role in business process assigned in PM system Event/MOM services may be part of solution also

13. 13 Conclusion Many powerful tools available More than one right way to do it Architecture more important than ever Best-practices sharing of experience is crucial Common infra components promote sharing at higher levels