You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

perMIT Glossary

AUTHORIZATION

is a 3-part entity, consisting of a person + function + qualifier. Note that these 3-part structures bear some similarity to the 3-part structures in RDF or the Symantic Web: Subject + Verb + Object

authorization

- is the technical step of allowing or denying access to resources based on business rules created by the service owner (subject to enterprise policy). The business rules are generally expressed as access control lists that leverage identity attributes that are defined and maintained by the enterprise. There is a wide variety in the architecture and style of expressing, mixing, and optimizing identity attributes, roles, privilege and access control lists (ACLs) for efficient management of authorization across the enterprise. (from CMU Identity glossary )

FUNCTION

is the component of an Authorization that describes the action (or role or group of actions) that the person is allowed to do.

  • Each function belongs to a "Category", or application area
  • Each function must be interpreted by downstream applications (those that use the Roles Database for access control) to represent some action or set of functionality within the application. Thus, the creation of functions must be coordinated with the application developer.
  • Some functions can apply to more than one application, e.g., financial reporting authorizations apply both to the financial system and the data warehouse.
  • Functions can have parent/child relationships; an authorization for a parent function implies authorizations for all child functions as well.

QUALIFIER

can be an account number, organization number, budget group, etc.. Since qualifiers of each type are organized into a hierarchy, a qualifier can also be a branch of the tree of account numbers, a branch of the tree of organizations, etc. Qualifiers are generally extracted from other systems as part of a nightly feed. Some functions are either "all or nothing" and do not require a qualifier; in these cases a placeholder qualifier of NULL is included in the authorization.

role

  • No labels