Authorization
Most of the computer security systems are based on
-
Authentication – ensures that user has access to
the system
-
Authorization – allows the user access to
various resources based on user identity.
o
Role
based authorization
o
Traditionally application use role-based
security to authorize access
§
Permission demands applied in code or
declaratively.
o
Can be applied to operations at the service tier
§
Stack permission demands for windows or custom
roles
o
Roles based authorization is in sufficient
§
Roles changes
§
Permission granted to roles change
§
Not all credentials can be mapped to roles
o
Better to base authorization on permissions not
roles
o
Permission
based authorization
o
Authorize access based on permission required to
execute functionality
o
Permissions should not change
§
Establish permissions required for features
§
Associate permission demands with features
§
Can add new permissions for new feature
o
But permission-based security is not built-in,
nor is it always enough, nor are permissions guaranteed
o
Claim
based authorization
o
Richer than permissions
o
Claim can carry information about
§
User identity
§
Roles or permissions
§
Other useful information about the user
o
Claims are guaranteed by their issuer
§
If the issuer is trusted, claims can be trusted.