Folks,  I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.

Specifically to allow for Enterprise MAC with UMA participation,  where the End user is a participant in the access control decision, but not the only participant.


  1. Resource Server Operator-Authorizing Party: Delegate-Protection
    For the period that the Resource Server Operator and Authorizing Party have mutually agreed to serve in these respective roles for each other, theResource Server Operator gains an obligation to the Authorizing Party to delegate protection services to the Authorization Server Operator for the set of protectable resources for which it represents this capability to the Authorizing Party, and to respect the authorization data that the Authorization Server has associated with an RPT when the Resource Server subsequently allows or disallows access by the Client that presented that RPT.
My concern here is that it delegates "Protection services"  to the AS,  and this feels a little like an all or nothing.  This might not be true in the case where the RO is only one party in the Access control decision.
  1. Resource Server Operator-Authorization Server Operator: Respect-Permissions
    For the period that the Resource Server Operator and Authorization Server Operator have mutually agreed to serve in these respective roles for each other, the Resource Server Operator gains an obligation to     the Authorization Server Operator to disallow access by a Client presenting an RPT in all cases where the authorization data associated by the Authorization Server is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.

This has several implications.  If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS.  Since once it has an answer,  it is obligated to deny.  This implies that the RS cannot opt out once the request to the AS is made.

It feels a little bit like don't ask don't tell!

My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC.  It should be able to modify its behavior based on local business rules and exceptions.

Allan




--
Simplify Email: Email Charter

ForgeRock Logo Allan Foster - ForgeRock
VP Strategic Partner Enablement
Location:San Francisco
p: +1.214.755.9218
email: allan.foster@forgerock.com
blogs: blogs.forgerock.com/GuruAllan
Skype: Call GuruAllan
www: www.forgerock.com
www: www.forgerock.org