Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'. Please help to put the items in the right spots and correct errors! - Authorization - - Authorization policy evaluation - - Proofs of assertion (tokens, tickets, cookies, cryptographic methods) - - Bearer methods v proof of possession methods - Access control policy, authorization policy, - Static evaluation, dynamic evaluation - Is there an ‘authorization equation’ for policy evaluation? - - e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events - Relationship to Identification, Authentication, Access Control - - The characteristics of each - The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?) - Authorization models, processes, protocols - - SAML, OAuth, UMA - Directories, decentralized models - Access control models - - RBAC - ABAC - Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering) - Considerations for choosing specific models, protocols - - Risk - Authorization model matching to credential characteristics, identification method, available authenticators - Centralized v decentralized - Degree of independence of authorization policy decision v access control decision *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *