I don't want this to sound cavalier in any way, but I wonder if this is a place where consent receipts could "paper over" a lot of sins/variances. If there is a specific reason for going against a specific set of authorization data, or lack of authorization data, in a requesting party token, then surely an accounting of exactly what the variance was, with an explanation of the delta against the exact RPT contents, would be a godsend. A couple of thoughts on this idea: - I doubt UMA the spec is ready yet to make a normative reference out to MVCR, but the time seems right to experiment with the idea anyway. - Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her. - Andrew's Shoebox endpoint would be handy about now, so we'd have a nice place to send the receipt. (Alice's AS could choose to host that endpoint for her.) Time for someone (in CIS WG? this one??) to sketch out that spec? - I've observed in the past that the AS has no way, strictly speaking, of knowing whether the client actually did gain access to a resource vs. just attempted it and appeared to succeed based on observation of RPT contents vs. policy. The Shoebox endpoint would nicely do for this plain purpose ("I gave them access per this authorization data"/"I didn't give them access per this authorization data") as well as the more sophisticated purpose ("I gave them access for reason X even though they had authorization data Y"/"I didn't give them access for reason A even though they had authorization data B"). - We could have model clauses that cover each of the four circumstances so that anyone who requires reporting of whatever combination could pull in the necessary clauses. Finally, if this is a viable approach, then indeed Allan is right, and our current clause talking about having to disallow access is all wet. :-) *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Tue, Dec 22, 2015 at 7:14 AM, Lisa Moon < lisa.moon@advocate-consulting.com> wrote:
Allan,
I don't know if this comment will be useful - but here goes.
Your final statement "My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions" exposes part of a much larger problem in consent management...namely, local interpretation of business rules related to privacy, etc.
Local interpretation creates a high degree of variance - making MANY rules difficult to operationalize. Keeping this in mind and finding a common standard, even at a basic technology level would help moderate the variance caused by local interpretation.
Lisa Moon Principal Consultant Advocate Consulting LLC (c) 952-913-7263 lisa.moon@advocate-consulting.com
On Mon, Dec 21, 2015 at 9:38 PM, Allan Foster <allan.foster@forgerock.com> wrote:
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other, theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> .
My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other, the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
[image: ForgeRock Logo] *Allan Foster - ForgeRock * *VP Strategic Partner Enablement* *Location:*San Francisco *p:* +1.214.755.9218 *email:* <allan.foster@forgerock.com>allan.foster@forgerock.com *blogs:* blogs.forgerock.com/GuruAllan *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com *www:* www.forgerock.org
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma