ACWP Methodology ACS Domains
IHE White Paper on Access Control
As explained above, authorization decision requests need to take a normative form and the construction of authorization decision request instances from access request instances needs to be based on configuration. Moreover, this mainly concerns the non-subject quantities of an authorization decision request as PEPs typically can restrict themselves in delivering (opaque) identifiers for the in-memory authentication state of subjects. Thus, the following configuration abstractions are sufficient:
- An authorization decision request construction template that instructs PEPs how to build authorization decision request instances based on access request instances
- An authorization policy interpretation template that instructs PDPs (resp. their subject attribute finders) how to relate the in-memory authentication state (comprising e.g. SAML attributes and other information from SAML assertions) with the subject-specific expressions in authorization policies (on the granularity of attributes)
Based on the attribute stubs that were assumed to have been identified in a first step these configuration abstractions can be built as follows:
- Authorization decision request construction templates can be expressed by augmenting the identified (resource, action, other) attribute stubs with attribute value templates that point to contents of the access request. This creates attribute templates and could take the form of e.g. XPath expressions in case of a Web services environment (“take the value of the XML attribute ‘recordUID’ in the ‘getFolderList’ element and build the authorization decision request attribute ‘resource-id’ with that value”…). These templates present a-priori information that instruct PEPs which (resource, action, other) attributes to deliver in an authorization decision request and how to build them on the event of an access request.
- Authorization policy interpretation templates can be expressed by augmenting the identified (subject) attribute stubs with attribute value templates that point to contents of an in-memory representation of authenticated subjects. This creates another kind of attribute templates and could (in case of e.g. SAML-based representations of authenticated subjects) take the form of references to SAML attributes (“take the value of the XML child element ‘AttributeValue’ in the XML element identified by the XML attribute name with value “urn:example:year-of-birth” when looking for the value of the yearOfBirth attribute…). These templates also present a-priori information which instruct PDPs which (subject) attributes from authorization policies to relate with which information in the in-memory representation of authenticated subjects. Note that the PDP realization might rely on an subject attribute finder to decouple this task.
PEP/PDP Placement
Authorization Request Interface
Policy Retrieval (Pull/Push)
Attribute Retrieval (Pull/Push)
Discussion
place issues to be discussed among the editorial team here...
Change Requests
place your change requests here...