Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

Published byAmbrose Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010."— Presentation transcript:

1 Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010

2 AuthZ Use Case - Web SSO via Web Access Management (WAM) System PrincipalPEP Target Resource PIP PDP PAP User/device WAM plug-in WAM Server HTML or web app WAM console LDAP Environment Time/Location

3 Use case details – Web SSO via Web Access Management (WAM) System Author:John Tolbert Brief Description:Human user requesting access to an html document protected by a web access management system (WAM). Policy information stored in LDAP, authored within WAM. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User clicks link to protected resource Steps or flow:User clicks link to protected html resource; WAM plug-in on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Post-conditions:Transaction logged. Non-functional requirements:? Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms served by the WAM agent and server.

4 AuthZ Use Case - Web SSO via SAML PrincipalPEP Target Resource PIP PDP PAP User/device SAML-enabled Web app SAML server HTML or web app LDAP & SAML consoles LDAP Environment Time/Location

5 Use case details – Web SSO via SAML Author:John Tolbert Brief Description:Human user requesting access to an html document protected by a web application that accepts SAML assertions. Policy information stored in LDAP, authored within LDAP/SAML/other utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User clicks link to protected resource Steps or flow:User clicks link to protected html resource; SAML assertion with appropriate attributes created and passed to application; application on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Post-conditions:Transaction logged. Non-functional requirements:? Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms served by the SAML-enabled application.

6 AuthZ Use Case – File access mediated by operating system (OS) PrincipalPEP Target Resource PIP PDP PAP User/device OS File OS utilities OS Environment Time/Location

7 Use case details – File access mediated by operating system (OS) Author:John Tolbert Brief Description:Human user requesting access to a file controlled by an operating system (OS). Policy information stored within OS structures, authored by OS utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:File created with permissions, access determined in advance by entitlement creation using OS utilities. Steps or flow:User attempts to access a file protected by an OS. OS makes decision based upon entitlements created by OS utilities. File delivered to user. Post-conditions:Transaction logged. Non-functional requirements:? Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are dependent on the OS and its mechanisms.

8 AuthZ Use Case – remote network access to virtual private network (VPN) PrincipalPEP Target Resource PIP PDP PAP User/device VPN RADIUS Network RADIUS utilities RADIUS DB Environment Time/Location

9 Use case details – remote network access to virtual private network (VPN) Author:John Tolbert Brief Description:Human user and/or requesting access to a network controlled by a VPN device. Policy information stored within RADIUS (or TACACS or LDAP), authored by RADIUS utilities. Goal:Human user gains access to authorized network. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:Entitlements created in advance by RADIUS utilities. VPN client software installed. Steps or flow:User attempts to access a remote network. VPN device makes decision based upon entitlements created. Network access granted to user. Post-conditions:Transaction logged. Non-functional requirements:? Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, citizenship, etc. Issues:PEP and PDP deployments in this case are dependent on the OS and its mechanisms.

Download ppt "Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010."

Similar presentations

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept. 2012.

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.

Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Remote Networking Architectures

Remote Networking Architectures
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Similar presentations

Ads by Google