Summa

In a previous post, I laid some of the conceptual groundwork for authorization in the tricky world of SOA. Now, a year older and a year wiser (I hope!), I’d like to swing back around to the topic of authorization, but broaden the scope a bit - talking not just about authorization and SOA, but about authorization and the whole enterprise “ecosystem” (services, applications, user interfaces, etc.).

In this post I’d like to describe the decentralized, “every man for themselves” model of authorization that is most common in organizations, and the problems inherent. In later posts I hope to touch on some possible paths out of this chaos - the XACML standard, the model of pre-determined access control, and attribute services. Here goes…

Continue Reading Add comment

There’s plenty of talk about security and SOA (or should I just say services now?), but the vast majority seems to cover only the issues of authentication and identity management, and neglects the equally important problem of authorization (*1). Although I can’t claim to be a security expert, in a series of posts, I’d like to share some of my thoughts and experiences on implementing authorization in the world of service-oriented architectures.

In this first post, I’d like to take a quick trip through some of the basic terms and definitions of authorization, laying the conceptual groundwork for the later posts. Ok, let’s get started!

Continue Reading 6 comments

When we think about authorization, we often think users, roles, and permissions. Essentially, what a user can do in a system usually boils down to a simple formula:

And while this role-based model is effective, intuitive, and easy to implement, unfortunately, in most enterprise applications, it isn’t enough - there are some portion of authorization requirements that can’t be neatly codified in simple user-role-permission relationships.

In this post, I’d like to take a stab at defining some of the tricky (but common) authorization requirements that stretch the boundaries of basic role-based access control. My hope is that by identifying (and putting a name to!) these different types of authorization rules, we’ll be in a better position to determine the authorization solution that best fits our needs - whether it’s a simple role-based approach or a complex policy engine (e.g Oracle Entitlements Server, Cisco’s Policy Manager, etc.).

Ok, here goes…

Continue Reading Add comment