[policy-charter] Authorization Use Cases

David Brossard david.brossard at gmail.com
Thu Jun 22 18:48:44 UTC 2023 

Excellent comment! I forgot to add that, to me, authorization is stateless.
In other words, assuming time is not of the essence, asking a PDP time and
time again whether Alice can get access to X and assuming none of the
underlying data changes, then the answer should always be YES. A PDP does
not include state. A PDP does not modify state. This is a fundamental
design choice.

On Thu, Jun 22, 2023 at 11:32 AM Wesley Dunnington <
wesleydunnington at pingidentity.com> wrote:

> You bring up a good point as to when authorization stops and business
> logic begins. Most fully featured authorization systems are pretty decent
> decision engines, but if people start asking for us to include approvals
> via email or text in the protocols, then we will know we have stepped way
> over the line.
>
> Wes Dunnington
>
> On Thu, Jun 22, 2023 at 2:26 PM David Brossard via policy-charter <
> policy-charter at lists.openid.net> wrote:
>
>> I am looking at my notes from the past 15 years (yikes, that old) and I
>> see customers and use cases across nearly every vertical. Financial
>> services, Government (especially sensitive areas), and regulated industries
>> (healthcare & insurance but also export-controlled companies) are all
>> verticals that need authorization.
>>
>> In terms of use cases, it ranges from:
>>
>>    - Developer efficiency
>>       - Rather than implement basic checks in code, let the "rules
>>       engine" decide
>>    - Business drivers
>>       - business use cases: a health insurance agent can see an
>>       insurance claim in the region they are assigned to
>>    - Legal & Compliance
>>       - legal use cases: No one can see a customer's SSN except for the
>>       customer
>>       - export control: it would be worth checking out the XACML Export
>>       Control profile
>>       <http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html>.
>>       We can reach out to the authors too (2 of them, John Tolbert and Richard
>>       Hill now work at Kuppinger Cole and might be interested in helping)
>>       - compliance:
>>          - four-eyes principle e.g. 2 individuals needed to approve a PO
>>          above $X
>>          - Segregation of duty: an approver cannot approve a PO they
>>          created/submitted
>>       - Governance simplification
>>       - Move away from RBAC-driven authZ (and all it implies) to
>>       policy-driven ABAC
>>
>> One recurring question is where authz use cases start and stop. I
>> remember a banking customer telling me the following story: *we run a
>> credit card company and we want to send paper bills every billing cycle
>> (30-45 days). We want to let customers choose to go paperless but if they
>> miss a payment, we want to override the preference and still send a paper
>> copy. Should that be an authorization use case/rule?*
>>
>> My general answer has always been: if security/compliance/legal care(s)
>> then YES. Otherwise, up to you but don't overdo it. That example, unless
>> the paper bill is mandated by law (e.g. a credit card piece of
>> legislation), is NOT an authorization use case in my mind.
>>
>> I've added some of the use cases to this doc and made it read-only
>> <https://docs.google.com/document/d/1DJ37bC_6Np57N12AJ_MCCGh6ImmzFQZ9IgkQOH-Mz_A/edit>.
>> Feel free to ask for edit rights.
>>
>> David
>>
>> On Tue, Jun 20, 2023 at 9:09 AM Alex Babeanu via policy-charter <
>> policy-charter at lists.openid.net> wrote:
>>
>>> I did start one indeed... Will try to complete it by end of day and
>>> share it on GDrive....
>>> regards,
>>>
>>> ./\.
>>>
>>> On Tue, Jun 20, 2023 at 4:24 AM Pieter Kasselman via policy-charter <
>>> policy-charter at lists.openid.net> wrote:
>>>
>>>> Hi folks, when we met at Identiverse, one of the topics that came up
>>>> was the collection of use cases, in addition to PEP/PDP and Admin Policy
>>>> Push. Is there an existing document we can use as a starting point for use
>>>> cases from last year, or do we need to start collecting them afresh? The
>>>> use cases may help us with scoping  and expressing the customer problem as
>>>> we create working group and work product charters/scopes.
>>>>
>>>>
>>>>
>>>> Cheers
>>>>
>>>>
>>>>
>>>> Pieter
>>>> --
>>>> policy-charter mailing list
>>>> policy-charter at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>>
>>>
>>>
>>> --
>>> [image: This is Alexandre Babeanu's card. Their email is
>>> alex at 3edges.com. Their phone number is +1 604 728 8130.]
>>> <https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>>> hereto, is for the sole use of the intended recipient(s) and may contain
>>> confidential and/or proprietary information.
>>> --
>>> policy-charter mailing list
>>> policy-charter at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/policy-charter
>>>
>>
>>
>> --
>> ---
>> David Brossard
>> http://www.linkedin.com/in/davidbrossard
>> http://twitter.com/davidjbrossard
>> http://about.me/brossard
>> ---
>> Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
>> Prenez vos précautions sur Internet:
>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>> --
>> policy-charter mailing list
>> policy-charter at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/policy-charter
>>
>
>
> --
> <https://www.pingidentity.com>[image: Ping Identity]
> <https://www.pingidentity.com>
> Wesley Dunnington
> VP Architecture, Chief Architect
>  wesleydunnington at pingidentity.com
>
> c: 508-254-5475
> Connect with us: [image: Glassdoor logo]
> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image:
> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
> logo] <https://twitter.com/pingidentity> [image: facebook logo]
> <https://www.facebook.com/pingidentitypage> [image: youtube logo]
> <https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
> <https://www.pingidentity.com/en/blog.html>
> <https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
> <https://www.pingidentity.com/en/events/d/identify-2019.html>
> <https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf>
> <https://www.pingidentity.com/en/events/e/rsa.html>
> <https://www.pingidentity.com/en/events/e/rsa.html>
> <https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false>
> <https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*



-- 
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos précautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/policy-charter/attachments/20230622/e86d5221/attachment.html>

More information about the policy-charter mailing list