Cloud Authorization Use Cases Version 0 Committee Note 01 19 November 2014


Identity Management Categorizations



Download 225.11 Kb.
Page3/11
Date conversion29.11.2017
Size225.11 Kb.
1   2   3   4   5   6   7   8   9   10   11

1.4Identity Management Categorizations

This section defines identity management categorizations that are featured in the use cases presented in this document. Use cases may list one or more of these categorizations within the “Categories Covered” box of the “Notable Categorizations and Aspects” section of each use case.

This document will use the following categories to classify identity in the cloud use cases:



  • Infrastructure Identity Establishment

  • Identity Management (IM)

  • General Identity Management

  • Infrastructure Identity Management (IIM)

  • Federated Identity Management (FIM)

  • Authentication

  • General Authentication

  • Single Sign-On (SSO)

  • Multi-factor

  • Authorization

  • General Authorization

  • Administration

  • Account and Attribute Management

  • Account and Attribute Provisioning

  • Security Tokens

  • Governance

  • Audit and Compliance

1.4.1Infrastructure Identity Establishment


This category includes use cases that feature establishment of identity and trust between cloud providers their partners and customers and includes consideration of topics such as Certificate Services (e.g. x.509), Signature Validation, Transaction Validation, Non-repudiation, etc..

1.4.2Identity Management (IM)

This category includes use cases that feature Identity Management in cloud deployments.

1.4.2.1General Identity Management


This categorization is used if the use case features the need for Identity Management in general terms without specify or referencing particular methods or patterns.

1.4.2.2Infrastructure Identity Management (IIM)


This subcategory includes use cases that feature Virtualization, Separation of Identities across different IT infrastructural layers (e.g. Server Platform, Operating System (OS), Middleware, Virtual Machine (VM), Application, etc.).

1.4.2.3Federated Identity Management (FIM)


This subcategory includes use cases that feature the need to federate Identity Management across cloud deployments and enterprise.

1.4.3Authentication


This category includes use cases that describe user and service authentication methods applicable to cloud deployments.

1.4.3.1General Authentication


This categorization is used if the use case features the need for Authentication in general terms without specify or referencing particular methods or patterns.

1.4.3.2Single Sign-On (SSO)


This subcategory of authentication includes use cases that feature Single Sign-On (SSO) patterns across cloud deployment models.

1.4.3.3Multi-Factor Authentication

This subcategory of authentication indicates the use cases uses more than one factor or credential to establish the identity of a user or service. The more factors that can be verified or authenticated about an identity the greater the weight or “strength” is given to the authenticated identity; this causes an association to the term “strong authentication”.

1.4.4Authorization


This category features use cases that feature granting of Access Rights to cloud resources to users or services following establishment of identity. Use cases in this section may include authorization concepts such as Security Policy Enforcement, Role-Based Access Control (RBAC) and representations and conveyance of authorization such as Assertions to cloud services.

1.4.4.1General Authorization


This category is used if the use case features the need for authorization in general terms without specifying or referencing particular methods or patterns.

1.4.4.2Administration


This category is used if the use case features the need for the administration of access control policies.

1.4.5Account and Attribute Management


This category includes use cases that feature account establishment including Security Policy Attributes along with their Management or Administration. Use cases may include descriptions of established provisioning techniques, as well as developing examples of Just-In-Time (JIT) Account Provisioning.

1.4.5.1Account and Attribute Provisioning


This subcategory of Account and Attribute Management highlights use cases that feature provisioning of identity and accounts within cloud deployments. This includes provisioning of any attributes that are associated with an identity that may affect policy decisions and enforcement.

1.4.6Security Tokens

This category includes use cases that feature Security Token Formats and Token Services including Token Transformation and Token Proofing.

1.4.7Governance


This category includes the secure management of identities and identity related information (including privacy information) so that actions taken based on those identities can be legally used to validate adherence to the rules that define the security policies of the system.

1.4.8Audit & Compliance


This category includes use cases that feature Identity Continuity within cloud infrastructure and across cloud deployment models for the purpose of non-repudiation of identity associated with an action permitted against security policy.

1.5Actor Name Construction


In order to have consistent names for actors (roles) referenced in use cases, this document defines qualification syntax comprising four terms.

This syntax is intended to provide a detailed context of where the actor is performing their use case function, under which organization, against what resources and under what role.

These four terms are:


  • Deployment Type – Qualifies the actor‘s domain of operation (i.e. the deployment entity where they perform their role or function).

  • Organizational Type – Further qualifies the actor by the organization within their deployment entity

  • Resource Type – Further Qualifies the actor by the resources they have been entitled to interact with.

  • Role Type – Further qualifies the actor by their role-based entitlements.

The general syntax for creating a name for an actor is as follows:

Deployment Type | Organizational Type | Resource Type | Role Qualification

The following sections include diagrams that show the logical derivation (inheritance) for each of these qualification terms.

1.5.1Deployment Qualifications


The following diagram shows the deployment types that are required when naming an actor:


1.5.2Organization Qualifications


The following diagram shows the organizational types that are required when naming an actor:


1.5.3Resource Qualifications


The following diagram shows the resource types that are required when naming an actor:


1.5.4Role Qualifications


The following diagram shows the role types that are required when naming an actor:



1   2   3   4   5   6   7   8   9   10   11


The database is protected by copyright ©hestories.info 2017
send message

    Main page