- From: Marian, Radu <radu.marian@baml.com>
- Date: Fri, 03 May 2013 14:56:19 +0000
- To: Kingsley Idehen <kidehen@openlinksw.com>, "public-vocabs@w3.org" <public-vocabs@w3.org>
Kingsley, Here is the public url for our task centric iam model: https://www.oasis-open.org/committees/download.php/49053/entitlement.ontology.png I believe this should be accessible to the public. In your words - "Resource is a terribly overloaded term" - Ditto, ditto, and ditto. In fact Role explosion is a painful side effect given to us by classic RBAC. The second (or primary) side effect is that RBAC does not distinguish a database column from a checking account - everything is a resource. ABAC has attempted to solve role explosion - but it also unfortunately stays away from business semantics by treating Task as an Environment attribute. The above model introduces a business semantic abstraction layer - Process-Activity-Task - to address both issues. Here are our current thoughts describing the model: . Identifier is an instance of User Identity representation. During Entitlements Assignment process a User can be entitled to execute specific Task(s) via Team and Role (80% of the time) or directly as an Exception (20% of the time). . Team is a human recourse container of Roles. The main purpose of the Team type is to speed up and simplify Entitlement Assignment and Approval process. . Since Roles are created and maintained by IT they do not have an intrinsic business meaning. . Roles inherit the business meaning from corresponding Business Tasks. . Roles are simple buckets used to speed up and ease the Entitlement Assignment and Approval processes. . Tasks are the leaf nodes of a Business Taxonomy that is created and maintained by Business Architects. . Tasks and Activities are more granular than Roles. . Tasks are the Duties used by the application team to design Separation of Duty policies. . Therefore it is impossible to implement Separation of Duties without underlying Business Tasks. . User does not access a Business Resource directly via its Action. Instead User is entitled to execute a Business Task and the Business Task accesses Business Resource on behalf of the User via Resource Action. . Process-Activity-Task is an abstraction layer expressed and maintained in a business standard way (Level 0 through Level 4 as specified in eTOM) by Business Architects. Business Taxonomy provides a reference framework to implement Business Segregation of Duties. . Process-Activity-Task can define not only a Business Taxonomy but an Operations Taxonomy or SDLC Taxonomy as well. SDLC Taxonomy provides a reference framework to implement Technical Segregation of Duties. . Policy is an Entitlement Constraint on what Tasks a User can have (access assignment time) as well as what Tasks a User can execute (access runtime). . Business Resources are concepts such as Loan Account or Checking Account. They are not controlling access to physical resources such as Database Table, File, or Dataset but rather are used in context of Tasks to enable fine-grain entitlement assignment. . Business Entitlements are Task(s) a User is entitled to execute - i.e. coarse-grain business entitlements. A Task can optionally perform an Action on a specific Resource (a specific Loan Account type) in a given Business Context - i.e. fine grain business entitlements. . Only Tasks serve as input to Provisioning phase. Provisioning should be agnostic of User(s) . Provisioning is the process of mapping Tasks to Permissions. The output of the Provisioning process is set of Permissions a Task can have. . System Permissions deal with System Resources such as Database, Table, Column, File, or Mainframe Data Set. . Application is a package of implemented Tasks a User can execute during Runtime. Hope that helps to bring out the main the point: A User does not have permissions to access a Resource. User is rather entitled to execute Task and the Task accesses the Resource. Regards, Radu Marian, MSCS, SCEA, CISSP Bank of America - Charlotte, NC VP, Architect 2, Enterprise Security Architecture Business phone number: (704) 628-6874 an Enterprise without Ontology is like a country without a map. -----Original Message----- From: Kingsley Idehen [mailto:kidehen@openlinksw.com] Sent: Thursday, May 02, 2013 9:20 PM To: public-vocabs@w3.org Subject: Re: how to go about creating a new vocab? On 5/2/13 6:22 PM, Marian, Radu wrote: > Kingsley, > > Thanks for pointing to the Web Access Control vocabulary. To cater to use cases on the Web the WAC needs to be resource centric: > "allowing different users and groups various forms of access to resources" > http://www.w3.org/wiki/WebAccessControl "Resource" is a terribly overloaded term. The "Web" in the Web Access Control vocabulary is simply about data being "webby" and accessible over a network using protocols such as HTTP. Webb structured data is just entity relationship model based structured data that leverages URIs as denotation mechanisms for entities and their relation based associations. > > The approach that we are taking is Task centric. (the context for > Tasks - it is a Level 4 item type in a business taxonomy - standards > such as eTOM - page 19 of > http://www.oracle.com/us/products/applications/057009.pdf) A task is a thing i.e., it can be denoted using an identifier e.g., a URI. In addition, said entity has relations that association it with other entities. > > It would be nice if you can get access CloudAuthZ for more information on the model. Yes, so please provide me with a URL to a document that describes the model. Ideally, the model should be presented in entity relationship form. Bottom line, we are all aiming for the same thing, our perceived differences are artificial at best :-) Kingsley > > Regards, > Radu Marian, MSCS, SCEA, CISSP > Bank of America - Charlotte, NC > VP, Architect 2, Enterprise Security Architecture > Business phone number: (704) 628-6874 > an Enterprise without Ontology is like a country without a map. > > -----Original Message----- > From: Kingsley Idehen [mailto:kidehen@openlinksw.com] > Sent: Thursday, May 02, 2013 4:43 PM > To: public-vocabs@w3.org; Marian, Radu > Subject: Re: how to go about creating a new vocab? > > On 5/2/13 12:13 PM, Marian, Radu wrote: >> Alex, >> >> Thank you - I did see them both. They may satisfy basic Web and Social access control needs. >> >> However our goal is to standardize on an IAM vocabulary in Cloud/Enterprise. It should cover all IAM phases - Access Design, Request, Approval, Provisioning, Runtime, Review, Analytics, and Reconciliation. > The suggested vocabularies aren't Web specific per se. > > At all phases (as per your list above) there are resources being created (enterprise or Web accessible) to which access controls apply. Thus, you need to align identities and machine- and human-readable entity relationship semantics that manifest as resource access controls or data access policies.. >> Here is the latest model snapshot >> https://www.oasis-open.org/apps/org/workgroup/cloudauthz/download.php/ >> 49053/entitlement.ontology.png >> >> P.S. I am working on a write-up to describe this model. > BTW -- The PNG resource isn't accessible. Are you planning to mark this up using some machine readable notation etc? > > Here are some examples of the Web Access Control ontology in action: > > 1. http://kingsley.idehen.net/DAV/home/kidehen/Public/ -- although this folder has a cocktail of access controls that determine what identities can do what (via the HTML UI or raw HTTP ) > > 2. http://bit.ly/UXZEYV -- G+ note about multi-identifier and multi-authentication protocol approach to acls (note: this is all driven by the Web Access Control ontology) . > > Conclusion: > > There's a lot to gain from the Web Access Control vocabulary/ontology in its current form, as a building block. > > Kingsley >> Regards, >> Radu Marian, MSCS, SCEA, CISSP >> Bank of America - Charlotte, NC >> VP, Architect 2, Enterprise Security Architecture Business phone >> number: (704) 628-6874 an Enterprise without Ontology is like a >> country without a map. >> >> >> >> > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Received on Friday, 3 May 2013 14:56:54 UTC