[policy-charter] Authorization Use Cases

David Brossard david.brossard at gmail.com
Thu Jun 22 18:26:22 UTC 2023 

I am looking at my notes from the past 15 years (yikes, that old) and I see
customers and use cases across nearly every vertical. Financial services,
Government (especially sensitive areas), and regulated industries
(healthcare & insurance but also export-controlled companies) are all
verticals that need authorization.

In terms of use cases, it ranges from:

   - Developer efficiency
      - Rather than implement basic checks in code, let the "rules engine"
      decide
   - Business drivers
      - business use cases: a health insurance agent can see an insurance
      claim in the region they are assigned to
   - Legal & Compliance
      - legal use cases: No one can see a customer's SSN except for the
      customer
      - export control: it would be worth checking out the XACML Export
      Control profile
      <http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html>.
      We can reach out to the authors too (2 of them, John Tolbert and Richard
      Hill now work at Kuppinger Cole and might be interested in helping)
      - compliance:
         - four-eyes principle e.g. 2 individuals needed to approve a PO
         above $X
         - Segregation of duty: an approver cannot approve a PO they
         created/submitted
      - Governance simplification
      - Move away from RBAC-driven authZ (and all it implies) to
      policy-driven ABAC

One recurring question is where authz use cases start and stop. I remember
a banking customer telling me the following story: *we run a credit card
company and we want to send paper bills every billing cycle (30-45 days).
We want to let customers choose to go paperless but if they miss a payment,
we want to override the preference and still send a paper copy. Should that
be an authorization use case/rule?*

My general answer has always been: if security/compliance/legal care(s)
then YES. Otherwise, up to you but don't overdo it. That example, unless
the paper bill is mandated by law (e.g. a credit card piece of
legislation), is NOT an authorization use case in my mind.

I've added some of the use cases to this doc and made it read-only
<https://docs.google.com/document/d/1DJ37bC_6Np57N12AJ_MCCGh6ImmzFQZ9IgkQOH-Mz_A/edit>.
Feel free to ask for edit rights.

David

On Tue, Jun 20, 2023 at 9:09 AM Alex Babeanu via policy-charter <
policy-charter at lists.openid.net> wrote:

> I did start one indeed... Will try to complete it by end of day and share
> it on GDrive....
> regards,
>
> ./\.
>
> On Tue, Jun 20, 2023 at 4:24 AM Pieter Kasselman via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> Hi folks, when we met at Identiverse, one of the topics that came up was
>> the collection of use cases, in addition to PEP/PDP and Admin Policy Push.
>> Is there an existing document we can use as a starting point for use cases
>> from last year, or do we need to start collecting them afresh? The use
>> cases may help us with scoping  and expressing the customer problem as we
>> create working group and work product charters/scopes.
>>
>>
>>
>> Cheers
>>
>>
>>
>> Pieter
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
> Their phone number is +1 604 728 8130.]
> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
> hereto, is for the sole use of the intended recipient(s) and may contain
> confidential and/or proprietary information.
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos précautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230622/519caf87/attachment-0001.html>

More information about the policy-charter mailing list