ACWP Methodology Attribute Management
IHE White Paper on Access Control
Attribute Management
As attributes have been assumed to be the common currency of the considered authorization problems, the following abstractions suffice in constructing the authorization solution:
- Attribute: a distinct characteristic of an entity such as a subject or an object comprising an attribute value (e.g. 1979) and metadata such as attribute identifier (e.g. urn:example:year-of-birth), data type (e.g. integer) and category (e.g. subject)
- Attribute value template: instructions on the construction of an attribute value (e.g. search for LDAP attribute yearOfBirth in user account identified through UUID)
- Attribute template: attribute value template (instead attribute value) plus metadata. The attribute value template may be absent in an attribute template. The term attribute stub serves as a short-hand for attribute templates with absent attribute value templates.
The authorization system is assumed to be capable of processing arbitrary attributes and hence allowing the configuration of attribute value templates and attribute templates for arbitrary attributes. To resolve a concrete authorization problem, the first step is to identify its denominators (which may vary from one authorization problem to another) in form of a set of attribute stubs comprising e.g. the yearOfBirth attribute stub comprising an identifier (e.g. urn:example:year-of-birth), data-type (e.g. integer) and category (e.g. subject). According to empirics, the number of so-called attribute stubs happens to be rather small (say 10-25) for most practically relevant authorization problems.
Based on these atomic properties of the authorization problem, the needed abstractions can be built in a straight-forward manner.
Classification of Attribute Stubs
Specification of Attribute Value Sources
Domain Assignment
Discussion
place issues to be discussed among the editorial team here...
Change Requests
place your change requests here...