Cloud Authorization Use Cases Version 0 Committee Note 01 19 November 2014


Use Cases 1.8Use Case 1: Context Driven Entitlements



Download 466 Kb.
Page5/11
Date29.11.2017
Size466 Kb.
1   2   3   4   5   6   7   8   9   10   11

Use Cases

1.8Use Case 1: Context Driven Entitlements

1.8.1Description / User Story

In a Cloud Computing Environment, access decisions need to be made based on the context. The context includes the subject, the resource, the action, the environment and attributes of each of these. Access Decisions can be made if entitlements or permissions the subject has can be obtained.

1.8.2 Goal or Desired Outcome

Entitlements or permissions of a subject during an access decision check can be obtained from a repository or service.


1.8.3 Notable Categorizations and Aspects


Categories Covered:

  • Primary

  • Authorization.

  • Account and Attribute Mgmt. (Provisioning).

  • Secondary:

  • Audit and Compliance.

Featured Deployment and Service Models:

  • Deployment Models

  • Private

  • Public

  • Service Models

  • Platform-as-a-Service (PaaS)

  • Infrastructure-as-a-Service (IaaS)

Actors:

  • Cloud User

  • Cloud Resource

Systems:

  • Cloud Provider Identity Mgmt. System, helps manage resources such as:

  • Cloud Identity Stores

Notable Services:

Dependencies:

  • None

Assumptions:
  • Entitlements or permissions for a subject are stored in a repository or can be obtained from an external service.

1.8.4Process Flow


  1. A Cloud User tries to access a Cloud Resource.

  2. The Cloud Authorization Service tries to determine if the Cloud User has access to the Cloud Resource.

  3. The Cloud Authorization Service needs the permissions or the entitlements the Cloud User has. It asks a Cloud Entitlement Service for the permissions or entitlements the Cloud User has for the particular Cloud Resource, for the particular action and the environment such as IP Address, DateTime etc.

  4. The Cloud Entitlement Service returns a set of permissions. The Cloud Authorization Service does the access check based on the entitlements.

1.9 Use Case 2: Attribute and Provider Reliability Indexes

1.9.1Description / User Story


When designing a policy within a federated authorization system, the policy designer places a high degree of overall system integrity in the ‘quality” of the attributes used in a given policy decision.  The active exchange of attributes and data between relying parties in distributed cloud / federated authorization systems, makes it hard to design policies that allow for the varying levels of controls & assurance placed around attribute management lifecycle controls.  

This user story introduces the use of a “reliability index” to help providers and consumers define, model and understand an integrity rating for a given attribute, set of attributes or attribute provider   By employing a reliability index for the attribute provider and for the specific attributes it provides, the policy designer is able to create more meaningful access policies, policies that reflect the dependencies, reliability and overall risks inherent in the authorization system as a whole.

1.9.2Goal or Desired Outcome


The policy author is able to define a policy that allows for the real-time assessment of the reliability of an attribute provider or the individual reliability for any attribute it provides.  This allows for varying levels of access control policy to be applied dependent on the value of the reliability index retrieved for the provider and/or its attributes. When reliability is low, the policy author defines more approval/controls and less access for the same decision matrix, applied to the same set of identity attributes.  This should allow for better decisions to be made.

1.9.3Notable Categorizations and Aspects


Categories Covered:

  • Primary

  • General Identity Mgmt.

  • Account and Attribute Mgmt.

  • Secondary

  • None

Featured Deployment and Service Models:

  • Deployment Models

  • Service Models

  • Software-as-a-Service (SaaS)

Actors:

  • Subscriber Company Application Administrator

  • Subscriber Company Application User

Systems:

  • Cloud Provider Identity Mgmt. System, helps manage resources such as:

    • Cloud Identity Stores

Notable Services:


Dependencies:

  • None

Assumptions:

  • None

1.9.4Process Flow


  1. A Subscriber Company’s Application User, an employee of the company, creates multiple resources within a cloud deployment.

  2. The Subscriber Company’s Application User that created these cloud resources leaves the company.

  3. The Subscriber Company’s Application Administrator decommissions the Application User’s identity within the cloud deployment.

  4. The Subscriber Company’s Application Administrator transitions the cloud resources to a different employee’s identity within the same cloud deployment.



Share with your friends:
1   2   3   4   5   6   7   8   9   10   11


The database is protected by copyright ©hestories.info 2019
send message

    Main page