Authorization Service Description and Assumptions

Description

Unknown macro: {multi-excerpt} The authorization service provides the means to authorize a system entity to use system resources. It also provides control over access to those resources by system entities.

Key Concepts

Unknown macro: {multi-excerpt-include}

Unknown macro: {multi-excerpt}

Let's define some terms regarding authorization and access control to understand what is required (in security context) to perform an access control on a resource in CollectionSpace. We are relying on Internet Security Glossary and XACML glossary to define these terms.

Authorization is the process by which a properly appointed person or persons grants permission to perform some action on system resources on behalf of an organization.

Access control means protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy.

Resource could be data, service or system component (e.g. CollectionObject, Collection X of musuem, etc.)

Access control policy is a set of rules. A policy may identify the set of roles that are permitted to perform a particular action on a resource.

Subject is an actor whose attributes may be referenced by a predicate in a rule. One such attribute could be a role (e.g. CollectionsManager, Curator or Researcher).

Role is an abstract logical grouping of users that is created by the application/system users. A role could be a functional position in an organization.

Delegating Authorization are those authorizations that can be delegated to another principal within the constraints of the initial authorization.

More terms

Rule has a target, an effect and a condition. This rule pertains to an access control policy and it would be different from one or more "business rule" that are part of business activities, processes or workflows.

Target is a set of decision requests, identified by definitions for resource, subject and action, that a rule, policy or policy set is intended to evaluate.

Effect is the intended consequence of a satisfied rule (either "Permit" or "Deny")

Condition is an expression of predicates. A function that evaluates to "True", "False" or "Indeterminate".

Predicate is a statement about attributes whose truth can be evaluated.

A note about groups

Based on our interviews with the community, we found that the administrators of the collection management systems use role to group users when it comes to defining access control policies. Groups are indeed used, but for purposes other than defining the access control policies. Therefore, for simplicity in administration and evaluation of authorizations, we do not include groups in our model. See /wiki/spaces/collectionspace/pages/666274465 for details on one such interview.

Relationships

Following diagram describes the relationships between some of the entities defined above.

Note that for simplicity reasons, we have omitted some entities that are also described in the XACML specifications.

Access control process

Assumptions
  1. A system entity (e.g. a user with Berkeley CalNet ID) has/is already enrolled with at least one identity provider (e.g. CalNet).
  2. System entity could be human or non-human.
  3. A service provider (or relying party, e.g. a CollectionSpace service) relies on the identity provider to identify and verify the identity of the system entity before enforcing any access control decisions.
  4. Authorization is explicit (coded in the form of a policy).
  5. Authorization for a resource has been configured before any access control decision is made on the resource. If not, the decision would be negative.

At a very high level, the authorization and access control processes are carried out as follows in CollectionSpace:

  1. Alice, a person with administration responsibility, configures roles and access control policies for several CollectionSpace resources using Security Console of the Administration Service. Alice configures authorizations for a set of resources in CollectionSpace for persons in role R.
  2. Security Console sends requests to configure/administer various access control policies and roles on behalf of Alice to the Authorization Service.
  3. Bob, an authenticated user, wants to access collection object CO1 from collection ABC. On behalf of Bob, the application that Bob uses to manage collections sends a request (with context identifying Bob's verified identity) to the CollectionObject service.
  4. The CollectionObject service asks the Access Control Service if Bob should be allowed to access the collection object CO1 of collection ABC.
  5. The Access Control Service retrieves various attributes (subject, environment, resource) from the request context provided by the CollectionObject service, determines which access control policies to enforce, enforces one or more policies and returns with the decision such as allowed or denied.
  6. Based on the answer/decision given by the Access Control Service, the CollectionObject service either allows to access to CO1 of ABC or denies the access.

Unknown macro: {multi-excerpt}
Issue: Identifying a tenant(s) at the time of login

As discussed in Account Provisioning, each user is associated with one or more tenant. This information is retrieved as soon as the login is successful but before any CollectionSpace service related operations are performed. This information is kept in the security context. In case where user is associated with more than one tenant, the user would have access to collections of those tenants using the same session.

More restricted case would be where user could choose to operate on a single tenant's collection.

what is the priority for the use case where a user may want to restrict to operate on a single collection?

Tenant qualified security context

Unknown macro: {multi-excerpt}

Once the authentication is successful, the security context should contain tenant-qualified information about the authenticated principal. The CollectionSpace [Authorization Service] should make sure that the context is tenant-qualified post authentication.

Java Subject - some background

In Java, the security context could be in the form of a Subject if JAAS framework is used for authentication. A subject may be any entity, such as a person or a service. Once the subject is authenticated, a Java Subject is populated with associated identities, or principals. A Java Principal could represent any entity, such as an individual, a corporation, and a login id. A Subject may also own credentials. Sensitive credentials that require special protection, such as private cryptographic keys, are stored within a private credential Set. Credentials intended to be shared, such as public key certificates, are stored within a public credential Set. Access to credentials is provided based on permissions.

Security context in the form of a Subject is made available by the Java Application Server to application (mostly, attached to the thread context) once the authentication completes.

CollectionSpace Tenant Group

The CollectionSpace security runtime could further populate the Subject with tenant-specific information post successful authentication. This information could be in the form of a special group called "Tenants". Each member of this group would represent a tenant to whose resources the user principal would have access to. This context could then be used for the following purposes.

  1. Retrieve [tenant-specific bindings] in order to process the service request
  2. Enforce access control policies/permissions (using roles implemented as groups)

Unknown macro: {multi-excerpt}
Issue: Role ambiguity

In a multi-tenant system such as CollectionSpace, resources could be divided into the following two categories:

  1. System specific resources, e.g database, files, administration console, etc.
  2. Resources "owned" by a tenant, e.g. Collection "A" owned by ucmp.berkeley.edu.

There could be three kinds of roles.

  1. System-defined roles (e.g. SystemAdmin) having access to all the resources (e.g. Collections) including those belonging to individual tenants.
  2. Tenant-specific roles having access limited to resources owned by an individual tenant only.
  3. Then there would be some roles that would have access to resources owned by more than one tenant. (e.g. bnhm-administrator would have access to collections of all Berkeley museums). Such a role could be a container of "tenant-specific roles".

Also, there would be three kinds of policies.

  1. Policies that are system-specific, defined by the designers of CollectionSpace
  2. Tenant-specific policies for resources owned by and specific to an individual tenant only.
  3. Container policies having one or more "tenant-specific" policies.

Consider the following scenario: a role named CollectionsManager may have complete control over all actions (e.g. create, view, delete, update) on resource such as Collection A of tenant X (e.g. hearstmuseum.berkeley.edu), however, it may have only limited access (e.g. view only) for actions performed on Collection B of tenant Y (e.g. ucmp.berkeley.edu) even though tenant X and tenant Y both might be part of a larger organization (e.g. berkeley.edu). What this means is that no two seemingly similar roles among the tenants of CollectionSpace may have similar privileges to tenant's respective resources.

Solution

CollectionSpace designers would provide a set of "role and policy templates" to a tenant securing access to a "collection". The tenant-administrator could create specific roles from these templates and use them as-is or customize them as per need. Thus, each role or policy imported from a template would be tenant-qualified and unique.

Unknown macro: {multi-excerpt}

Issue: Application Key-based authorization

The type of application key might indicate certain access rights to the system. How should we relate access control policies with a type of application key?

References

  1. Authentication Service Description and Assumptions
  2. Account Service Description and Assumptions
  3. Administration Service Description and Assumptions
  4. /wiki/spaces/collectionspace/pages/666274889
  5. Internet Security Glossary
  6. Subject
  7. Security Assertion Markup Language (SAML)
  8. XACML glossary

Questions