Cloud Authorization Use Cases Version 0 Committee Note 01 19 November 2014



Download 225.11 Kb.
Page6/11
Date conversion29.11.2017
Size225.11 Kb.
1   2   3   4   5   6   7   8   9   10   11

1.10Use Case 3: Entitlements Catalog

1.10.1Description / User Story

Company “A” wishes to use services provided by a cloud service provider. There is a strong need to know what entitlements User has during Entitlement Assignment, Provisioning, Access Runtime, and Access Review phases of IAM.

Entitlements Catalog service returns a list of Business Tasks a user can perform. Entitlements should be portable from one service provider to another.


1.10.2Goal or Desired Outcome


At any point in time it should be possible to find out what entitlements user has.

Since Entitlements are to be portable from one CSP to another:



  1. User entitlements should not be system specific but rather be based on Business Tasks as defined by business architects

  2. User entitlements should be expressed in a standard format that is based on a pre-defined and agreed upon access control vocabulary that enables one to express entitlements syntax as well as entitlement meaning.

1.10.3Notable Categorizations and Aspects


Categories Covered:

Applicable Deployment and Service Models:


  • Cloud Deployment Models

  • Public

  • Private

  • Service Models

  • Infrastructure-as-a-Service (IaaS)

Actors:




Systems:

Notable Services:

  • User Entitlement Management Services:

    • GetUserEntitlements – retrieve User entitlements.

    • GetEntitlementSyntax – retrieve Entitlement Type Syntax.

    • GetEntitlementMeaning – retrieve the meaning of the particular entitlement.

Dependencies:

  • An Access Control Vocabulary exists to provide syntax and meaning for each entitlement.

  • CSPs agree to use the above Access Control Vocabulary to express entitlements in a portable format.

Assumptions:

  • Business Process Framework is provided as input to the Entitlements Model.

1.10.4Process Flow


The process flow is as follows:
  • A company uses the services provided by the Cloud Service Provider.


  • The Cloud Service Provider exposes various services representing entitlements for the users from the company.

  • The company calls GetUserEntitlements service to receive a list of entitlements for a particular user.

  • The company calls GetEntitlementSyntax service to receive the syntax of an entitlement.

  • The company calls GetEntitlementMeaning service to receive the meaning a particular entitlement.


1.11Use Case 4: Segregation of Duties based on Business Process

1.11.1Description / User Story


A company for whom a CSP is providing services needs to implement corresponding Segregation of Duties Policies. There is a strong need to know what conflicting entitlements a user could be assigned, prevent such assignment, augment the conflicting assignment with runtime controls, and as a last resort detect the use of conflicting entitlements.

1.11.2Goal or Desired Outcome


Provide a policy-based mechanism to design, implement, test, and access review simple and complex Separation of Duties scenarios.

Leverage XACML standard for expressing the conditional logic of SoD policies. Leverage Access Control Vocabulary to express the syntax and meaning of attributes used in SoD Policies.

Business Tasks is to be the core attribute for designing and registering “Duties” of Segregation of Duties.

1.11.3Notable Categorizations and Aspects


Categories Covered:
  • Entitlement Semantic Model


  • Entitlement Assignment

  • Runtime Authorization

  • Access Review

Applicable Deployment and Service Models:

  • Cloud Deployment Models

  • Public

  • Private

  • Service Models

  • Infrastructure-as-a-Service (IaaS)

Actors:

  • Business Architect

  • Entitlements Designer

  • Entitlements Manager

  • Access Reviewer

  • User




Systems:

  • Enterprise

  • Cloud Service Provider

  • Entitlement Model Repository

Notable Services:

  • User Entitlement Management Services:

    • GetUserEntitlements – retrieve User entitlements.

    • FindConflictingEntitlements – for a given number of entitlements list conflicting entitlements

Dependencies:

  • Access Control Vocabulary exist to provide syntax and meaning for each entitlement.

  • CSPs agree to use the above Access Control Vocabulary to express entitlements in a portable format.

Assumptions:

  • Business Process Framework is provided as input to the Entitlements Model.

1.11.4Process Flow


N/A



1   2   3   4   5   6   7   8   9   10   11


The database is protected by copyright ©hestories.info 2017
send message

    Main page