[policy-charter] Authorization Use Cases

Wesley Dunnington wesleydunnington at pingidentity.com
Thu Jun 22 18:32:16 UTC 2023 

You bring up a good point as to when authorization stops and business logic
begins. Most fully featured authorization systems are pretty decent
decision engines, but if people start asking for us to include approvals
via email or text in the protocols, then we will know we have stepped way
over the line.

Wes Dunnington

On Thu, Jun 22, 2023 at 2:26 PM David Brossard via policy-charter <
policy-charter at lists.openid.net> wrote:

> I am looking at my notes from the past 15 years (yikes, that old) and I
> see customers and use cases across nearly every vertical. Financial
> services, Government (especially sensitive areas), and regulated industries
> (healthcare & insurance but also export-controlled companies) are all
> verticals that need authorization.
>
> In terms of use cases, it ranges from:
>
>    - Developer efficiency
>       - Rather than implement basic checks in code, let the "rules
>       engine" decide
>    - Business drivers
>       - business use cases: a health insurance agent can see an insurance
>       claim in the region they are assigned to
>    - Legal & Compliance
>       - legal use cases: No one can see a customer's SSN except for the
>       customer
>       - export control: it would be worth checking out the XACML Export
>       Control profile
>       <http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html>.
>       We can reach out to the authors too (2 of them, John Tolbert and Richard
>       Hill now work at Kuppinger Cole and might be interested in helping)
>       - compliance:
>          - four-eyes principle e.g. 2 individuals needed to approve a PO
>          above $X
>          - Segregation of duty: an approver cannot approve a PO they
>          created/submitted
>       - Governance simplification
>       - Move away from RBAC-driven authZ (and all it implies) to
>       policy-driven ABAC
>
> One recurring question is where authz use cases start and stop. I remember
> a banking customer telling me the following story: *we run a credit card
> company and we want to send paper bills every billing cycle (30-45 days).
> We want to let customers choose to go paperless but if they miss a payment,
> we want to override the preference and still send a paper copy. Should that
> be an authorization use case/rule?*
>
> My general answer has always been: if security/compliance/legal care(s)
> then YES. Otherwise, up to you but don't overdo it. That example, unless
> the paper bill is mandated by law (e.g. a credit card piece of
> legislation), is NOT an authorization use case in my mind.
>
> I've added some of the use cases to this doc and made it read-only
> <https://docs.google.com/document/d/1DJ37bC_6Np57N12AJ_MCCGh6ImmzFQZ9IgkQOH-Mz_A/edit>.
> Feel free to ask for edit rights.
>
> David
>
> On Tue, Jun 20, 2023 at 9:09 AM Alex Babeanu via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> I did start one indeed... Will try to complete it by end of day and share
>> it on GDrive....
>> regards,
>>
>> ./\.
>>
>> On Tue, Jun 20, 2023 at 4:24 AM Pieter Kasselman via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> Hi folks, when we met at Identiverse, one of the topics that came up was
>>> the collection of use cases, in addition to PEP/PDP and Admin Policy Push.
>>> Is there an existing document we can use as a starting point for use cases
>>> from last year, or do we need to start collecting them afresh? The use
>>> cases may help us with scoping  and expressing the customer problem as we
>>> create working group and work product charters/scopes.
>>>
>>>
>>>
>>> Cheers
>>>
>>>
>>>
>>> Pieter
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
> Prenez vos précautions sur Internet:
> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
> --
> policy-charter mailing list
> policy-charter at lists.openid.net
> https://lists.openid.net/mailman/listinfo/policy-charter
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Wesley Dunnington
VP Architecture, Chief Architect
 wesleydunnington at pingidentity.com

c: 508-254-5475
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
<https://www.pingidentity.com/en/events/d/identify-2019.html>
<https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false>
<https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230622/e0f7e8be/attachment.html>

More information about the policy-charter mailing list