Summa

When we think about authorization, we often think users, roles, and permissions. Essentially, what a user can do in a system usually boils down to a simple formula:

And while this role-based model is effective, intuitive, and easy to implement, unfortunately, in most enterprise applications, it isn’t enough - there are some portion of authorization requirements that can’t be neatly codified in simple user-role-permission relationships.

In this post, I’d like to take a stab at defining some of the tricky (but common) authorization requirements that stretch the boundaries of basic role-based access control. My hope is that by identifying (and putting a name to!) these different types of authorization rules, we’ll be in a better position to determine the authorization solution that best fits our needs - whether it’s a simple role-based approach or a complex policy engine (e.g Oracle Entitlements Server, Cisco’s Policy Manager, etc.).

Ok, here goes…

Continue Reading Add comment

In a previous post, I laid some of the conceptual groundwork for authorization in the tricky world of SOA. Now, a year older and a year wiser (I hope!), I’d like to swing back around to the topic of authorization, but broaden the scope a bit - talking not just about authorization and SOA, but about authorization and the whole enterprise “ecosystem” (services, applications, user interfaces, etc.).

In this post I’d like to describe the decentralized, “every man for themselves” model of authorization that is most common in organizations, and the problems inherent. In later posts I hope to touch on some possible paths out of this chaos - the XACML standard, the model of pre-determined access control, and attribute services. Here goes…

Continue Reading Add comment

Every once in a while, I’ll talk with somebody who’s confused about hashed passwords and the notion of cryptographic salt; what it is, and why you use it.  It’s really a simple idea that greatly enhances password security.  For those that are curious, here’s a 100,000 foot overview that glosses over many of the details but will give you the general idea.

Continue Reading 3 comments

There are many things to consider when integrating with Software as a Service (SaaS) solutions, some of which are easily overlooked. In many aspects, integrating with SaaS is similar to integrating with packaged products, but it is often more challenging due to the intricacies of integrating with a system hosted outside your network. In this blog post, I will go over some key planning considerations to be made in terms of data modeling, mapping, security, integration strategies and data cleansing among others.  

Continue Reading Add comment

There’s plenty of talk about security and SOA (or should I just say services now?), but the vast majority seems to cover only the issues of authentication and identity management, and neglects the equally important problem of authorization (*1). Although I can’t claim to be a security expert, in a series of posts, I’d like to share some of my thoughts and experiences on implementing authorization in the world of service-oriented architectures.

In this first post, I’d like to take a quick trip through some of the basic terms and definitions of authorization, laying the conceptual groundwork for the later posts. Ok, let’s get started!

Continue Reading 6 comments