Versions Compared

Old Version 12

changes.mady.by.user Paul B Hill

Saved on

compared with

New Version 13

changes.mady.by.user Paul B Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

     CONCEPT

DEFINITION

A-spec (formerly called an AUTHORIZATION)

is a 3-part entity, consisting of a subject + function + qualifier. (Formerly called an AUTHORIZATION) Note that these 3-part structures bear some similarity to the 3-part structures in RDF: Subject + Verb + Object

Category

A collection of functions which are typically related in some way. For example, all of the functions within a category may apply to single application, a set of closely related applications, or a related group of business processes.

Function

is the component of an A-spec that describes the action (or role or group of actions) that the person is allowed to doto perform. This is the basic unit of an authority assignment from the end-user's perspective. It can represent a discrete task or a collection of tasks that must be enabled together for a person to perform a particular business function or task. A good design will define a function at such a level that a single assignment will suffice to activate all the privileges required for a majority of common needs, but not put so (too) much together that it cannot support the required granularity of control. So it lies somewhere between a job, which has many responsibilities, and a system permission to perform an operation, such as updating a table in a database.

  • Each function belongs to a "Category", or application area
  • Each function must be interpreted by downstream applications (those that use the Roles Database for access control) to represent some action or set of functionality within the application. Thus, the creation of functions must be coordinated with the application developer.
  • Some functions can apply to more than one application, e.g., financial reporting authorizations apply both to the financial system and the data warehouse.
  • Functions can have parent/child relationships; an authorization for a parent function implies authorizations for all child functions as well.

perMIT

is an authority management system.

QUALIFIER

Qualifiers limit the scope of a function. Qualifiers can be associated with functions in multiple categories. Qualifiers can be applicable to a subset of functions within a category. Qualifiers are typed. Examples of qualifiers include an account number, organization number, budget group, etc.. Qualifiers belong to a hierarchy. Since qualifiers of each type are organized into a hierarchy, a qualifier can also be a branch of the tree of account numbers, a branch of the tree of organizations, etc. Qualifiers are generally extracted from other systems as part of a nightly feed. Some functions are either "all or nothing" and do not require a qualifier; in these cases a placeholder qualifier of NULL is included in the authorization.

...