Andrew,

Great work!

Suggestions:
- Would the Considerations section be better as a sub section under Authorization Models. I believe that each model should have considerations.
- Should there be an Implementations sub-section that identifies where Authorization models have been implemented. This could include lessons learned.

Ken


On Mon, Jan 23, 2017 at 11:58 AM Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'. 

Please help to put the items in the right spots and correct errors!





  • Authorization
    • Authorization policy evaluation
      • Proofs of assertion (tokens, tickets, cookies, cryptographic methods)
        • Bearer methods v proof of possession methods
      • Access control policy, authorization policy, 
      • Static evaluation, dynamic evaluation
      • Is there an ‘authorization equation’ for policy evaluation?
        • e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events
    • Relationship to Identification, Authentication, Access Control
      • The characteristics of each 
      • The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?)
    • Authorization models, processes, protocols
      • SAML, OAuth, UMA
      • Directories, decentralized models 
      • Access control models
        • RBAC
        • ABAC
      • Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering)
    • Considerations for choosing specific models, protocols
      • Risk
      • Authorization model matching to credential characteristics, identification method, available authenticators
      • Centralized v decentralized
      • Degree of independence of authorization policy decision v access control decision
















Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 





_______________________________________________

DG-IDPro mailing list

DG-IDPro@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idpro

--
Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 kendaggtbs@gmail.com