Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'. 

Please help to put the items in the right spots and correct errors!

  • Authorization
    • Authorization policy evaluation
      • Proofs of assertion (tokens, tickets, cookies, cryptographic methods)
        • Bearer methods v proof of possession methods
      • Access control policy, authorization policy, 
      • Static evaluation, dynamic evaluation
      • Is there an ‘authorization equation’ for policy evaluation?
        • e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events
    • Relationship to Identification, Authentication, Access Control
      • The characteristics of each 
      • The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?)
    • Authorization models, processes, protocols
      • SAML, OAuth, UMA
      • Directories, decentralized models 
      • Access control models
        • RBAC
        • ABAC
      • Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering)
    • Considerations for choosing specific models, protocols
      • Risk
      • Authorization model matching to credential characteristics, identification method, available authenticators
      • Centralized v decentralized
      • Degree of independence of authorization policy decision v access control decision

Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8

AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security