Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Application of URNs to Authorizationand some other exotic uses
Victoriano Giralt
Central Computing FacilityUniversity of Málaga
Zagreb, January 31st, 2006
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Contents
1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control
2 URNs for adding hierarchiesObject classificationClassifications use cases
3 URN handling problems
4 The future
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Outline
1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control
2 URNs for adding hierarchiesObject classificationClassifications use cases
3 URN handling problems
4 The future
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Asigns access rights to the designated application:
Function
Usage
Advantages
entitlementthe URN describes a right for a user or role
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Asigns access rights to the designated application:
Function
Usage
Advantages
applAccess
kind of right, access to an application in thiscase.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Asigns access rights to the designated application:
Function
Usage
Advantages
SolicitudGastoapplication the right is granted on.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Asigns access rights to the designated application:
Function
Usage
Advantages
LEVELgranted access level, application specific:RUG, ROU, RGE
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
LDAP searchThe application does a standard directorysearch to find out if the user that has beenauthenticated has the right to use it and theaccess level that has been granted to her.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
Query via web service
The application queries a web service with userand application identifier as inputs and obtainsthe access level or the absence of the right touse.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
Future: PAPIWe are preparing a migration path for ourapplications, such that, once the user has beenauthenticated by PAPI, the assertion will carryapplication specific AuthZ information derivedfrom the entitlements stored in the user’s entry inthe directory.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
Unique authorization point
All of an object’s authorizations, both explicit andimplicit, are centrally kept in a directory entry.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
A sole authorization modelURN allow us to express all authorization in acommon form, with application specificsemantics.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Expenses Authorization Control(state: production)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL
Function
Usage
Advantages
Agent-Function-Qualifier
Who can do What on Which object
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
Personal management of permissions
The user grants permissions on his datato applications.May we use entitlements?Is it unorthodox?A new irisUserPrivateAttribute?
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
Attribute access controlDifferent applications may want to use anattribute, the user can decide if shepermits the use of the attribute or not, forthe ends of each of them.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
mobileThis attribute can be used for severalapplications, like:
+ changing forgotten passwords
+ sending marks
+ sending notices
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
VALUE = passwordChange
The user allows the SMS gateway to usehis mobile phone number for thepassword change function. From anotherpoint of view, the user authorizes the useof his mobile phone number for starting apassword change.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
VALUE = marksThe user authorizes the use of her mobilephone number for accessing her marksand for sending them to such number.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
VALUE = maySpam
The user allows the use of his mobilephone number for sending notices fromthe University.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
irisUserEntitlementHolds permissions granted to the object(user).
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
irisUserPrivateAttributeHolds access permissions that the object(user) grants on her attributes.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Expenses Authorization ControlMobile phone number usage control
Mobile phone number usage control(a more complicated case)
irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE
User to application
The problem
Examples
BUT ...
A new irisUserPrivateAttribute?Should we migrate to a URN basedmodel? Would it work?
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Outline
1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control
2 URNs for adding hierarchiesObject classificationClassifications use cases
3 URN handling problems
4 The future
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Object classificationof hierarchies and sparse trees
We have had the opportunity of designing our enterprisedirectory from scratch very recently, learning from many others’successes and mistakes.
Shallow trees
Hierarchies
Virtual views
Few one level branchesReal world usage has shown us that,storing objects inside a flat structure, witha few branches for storing similar objecttypes, just one level beneath theorganization root, is more practical,requiring fewer administration.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Object classificationof hierarchies and sparse trees
We have had the opportunity of designing our enterprisedirectory from scratch very recently, learning from many others’successes and mistakes.
Shallow trees
Hierarchies
Virtual views
Organizations DO have hierarchies
Regardless of internal directory structure,there is an organizational hierarchy formany of the objects stored in it.Therefore, there is a need for presentingentries in a hierarchical form.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Object classificationof hierarchies and sparse trees
We have had the opportunity of designing our enterprisedirectory from scratch very recently, learning from many others’successes and mistakes.
Shallow trees
Hierarchies
Virtual views
Several hierarchies for the same setOften, the same type of objects has to bepresented with a different structure. Thisis difficult to solve with traditionalapproaches. It is quite easy to do usingclassification codes stored as URNs.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Classifications describe hierarchies using variable lengthcodes, adding a new code element for each new level. Codeelements size is fixed for each classification.
Classificationsbranch
Classification root
Classification entry
dn: dc=classif,dc=uma,dc=esobjectClass: topobjectClass: organizationalUnitobjectClass: dcObjectdc: classifou: classif
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Classifications describe hierarchies using variable lengthcodes, adding a new code element for each new level. Codeelements size is fixed for each classification.
Classificationsbranch
Classification root
Classification entry
dn: dc=umaLoc-1.0,dc=classif,dc=uma,dc=esobjectClass: topobjectClass: organizationalUnitobjectClass: dcObjectdc: umaLoc-1.0ou: umaLoc-1.0
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Classifications describe hierarchies using variable lengthcodes, adding a new code element for each new level. Codeelements size is fixed for each classification.
Classificationsbranch
Classification root
Classification entry
dn: copaCode=a01b01c01d03e05,dc=umaLoc-1.0,dc=classif,dc=uma,dc=esobjectClass: topobjectClass: copaAreacopaName: Director’s officecopaCode: a01b01c01d03e05description: The office of the director ofthe Polytechnic School
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Name of the classificationThis allows to know which classificationthe code belongs to.umaLoc: Geographical locationumaOrg: Organizational roleslevels have fewer nodes
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaOrg:1.0:a1b1c1d1e1
Classification
Version
Code
Name of the classificationThis allows to know which classificationthe code belongs to.umaLoc: Geographical locationumaOrg: Organizational roleslevels have fewer nodes
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Classification versionThe versioning information is important inorder to know that object entries are up todate when presenting them using oneprecise classification.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
The code places the entry in an exactlocation in the University premisses.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
a01:Campus “El Ejido”
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
a01b01:Campus “El Ejido”
Polytechnic School
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
a01b01c01:Campus “El Ejido”
Polytechnic SchoolAdministration Building
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
a01b01c01d03:Campus “El Ejido”
Polytechnic SchoolAdministration Building
Third floor
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05
Classification
Version
Code
Entry’s classification code
a01b01c01d03e05:Campus “El Ejido”
Polytechnic SchoolAdministration Building
Third floorDirector’s office
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewAvailable views defined at rootThe root entry holds an attribute withvirtual views that can be overlayed on thedirectory.copaMainNav: dc=umaLoc-vv1,
dc=vviews,dc=uma,dc=escopaMainNav: dc=umaOrg-vv1,
dc=vviews,dc=uma,dc=es
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Virtual view entries have attributes thathold all information that a program needsfor doing searches that present theobjects according to the desired hierachy.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Search base for retrieving a classification.copaClassifBase:
dc=umaLoc-1.0,dc=classif,dc=uma,dc=es
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
URN prefix of the classification codes.copaPrefix:
urn:mace:rediris.es:uma.es:classif:umaLoc:1.0
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Object class for the classificationelements.
copaAreaObjectClassName:copaArea
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Attribute of the classification entries thatholds the codes.
copaCodeAttr:copaCode
Example value:a01b01c01d03e05
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Attribute of the classification entries thatholds the printable name of the code.
copaPrintAttr:copaName
Example value:Director’s office
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Object classificationClassifications use cases
Use cases for classificationsdifferent views of the same tree
Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.
Main entry
Virtual viewInformation for presenting the view
Attribute of the object entries that holdsthe classification codes.
copaCodeResourceAttr:irisClassifCode
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Outline
1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control
2 URNs for adding hierarchiesObject classificationClassifications use cases
3 URN handling problems
4 The future
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
On URN handling problemsor, more precisely, their absence
URNs usage problems are more perceived than real
Searching for URNs
Entitlementprocessing
URN processing
URN = text string
When properly indexed , LDAP shinesfor its speed in substring searching;regardless of length. (We havebenchmarks to back this).
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
On URN handling problemsor, more precisely, their absence
URNs usage problems are more perceived than real
Searching for URNs
Entitlementprocessing
URN processing
Entitlement = multivalued attributeProcessing is not more complex than withany other multivalued attributes.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
On URN handling problemsor, more precisely, their absence
URNs usage problems are more perceived than real
Searching for URNs
Entitlementprocessing
URN processing
URN = text string
Searching for information inside a URN isjust string processing, which mostprogramming languages in use can easilyaccomplish.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
Outline
1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control
2 URNs for adding hierarchiesObject classificationClassifications use cases
3 URN handling problems
4 The future
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.
Rule out LDAP?
Our quest for a solution
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solution
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solution
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solutionThe access, NOT the directory
The directory can’t know if theapplication is using the credentialsit should use.Then, applications could useinformation they are notauthorized to.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solutionCredentials controlApplications SHOULD NOT haveaccess to user credentials.Why? They may abuse them.We have already done that.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solutionWeb servicesAs an interface betweenapplications and the directory.Attribute access policy enforcingcan be verified.Good for in-house applications.Difficult for third party applications.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solutionKerberosCan do AuthN.Can do AuthZ?There are kerberized third partyapplications, but not many.
Application of URNs to AuthZ
Use cases of URNs in EntitlementsURNs for adding hierarchies
URN handling problemsThe future
The futureis uncertain
We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen
Rule out LDAP?
Our quest for a solutionWeb AAIEasily applied to web applicationswith source.Can be ported to web servers toavoid application modification.Non web applications?
Application of URNs to AuthZ