<div dir="ltr">You bring up a good point as to when authorization stops and business logic begins. Most fully featured authorization systems are pretty decent decision engines, but if people start asking for us to include approvals via email or text in the protocols, then we will know we have stepped way over the line.<div><br></div><div>Wes Dunnington</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 22, 2023 at 2:26 PM David Brossard via policy-charter <<a href="mailto:policy-charter@lists.openid.net">policy-charter@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I am looking at my notes from the past 15 years (yikes, that old) and I see customers and use cases across nearly every vertical. Financial services, Government (especially sensitive areas), and regulated industries (healthcare & insurance but also export-controlled companies) are all verticals that need authorization.<div><br></div><div>In terms of use cases, it ranges from:</div><div><ul><li>Developer efficiency</li><ul><li>Rather than implement basic checks in code, let the "rules engine" decide</li></ul><li>Business drivers</li><ul><li>business use cases: a health insurance agent can see an insurance claim in the region they are assigned to</li></ul><li>Legal & Compliance</li><ul><li>legal use cases: No one can see a customer's SSN except for the customer</li><li>export control: it would be worth checking out the <a href="http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html" target="_blank">XACML Export Control profile</a>. We can reach out to the authors too (2 of them, John Tolbert and Richard Hill now work at Kuppinger Cole and might be interested in helping)</li><li>compliance: </li><ul><li>four-eyes principle e.g. 2 individuals needed to approve a PO above $X</li><li>Segregation of duty: an approver cannot approve a PO they created/submitted</li></ul></ul><li>Governance simplification</li><ul><li>Move away from RBAC-driven authZ (and all it implies) to policy-driven ABAC</li></ul></ul><div>One recurring question is where authz use cases start and stop. I remember a banking customer telling me the following story: <i>we run a credit card company and we want to send paper bills every billing cycle (30-45 days). We want to let customers choose to go paperless but if they miss a payment, we want to override the preference and still send a paper copy. Should that be an authorization use case/rule?</i></div></div><div><i><br></i></div><div>My general answer has always been: if security/compliance/legal care(s) then YES. Otherwise, up to you but don't overdo it. That example, unless the paper bill is mandated by law (e.g. a credit card piece of legislation), is NOT an authorization use case in my mind.</div><div><br></div><div>I've added some of the use cases <a href="https://docs.google.com/document/d/1DJ37bC_6Np57N12AJ_MCCGh6ImmzFQZ9IgkQOH-Mz_A/edit" target="_blank">to this doc and made it read-only</a>. Feel free to ask for edit rights.</div><div><br></div><div>David</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 20, 2023 at 9:09 AM Alex Babeanu via policy-charter <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I did start one indeed... Will try to complete it by end of day and share it on GDrive....<div>regards,</div><div><br></div><div>./\.</div><div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 20, 2023 at 4:24 AM Pieter Kasselman via policy-charter <<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-IE">
<div>
<p class="MsoNormal">Hi folks, when we met at Identiverse, one of the topics that came up was the collection of use cases, in addition to PEP/PDP and Admin Policy Push. Is there an existing document we can use as a starting point for use cases from last year,
or do we need to start collecting them afresh? The use cases may help us with scoping and expressing the customer problem as we create working group and work product charters/scopes.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Cheers<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Pieter<u></u><u></u></p>
</div>
</div>
-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><br>
</div></blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><a href="https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5" rel="noopener" style="display:inline-block" target="_blank"><img alt="This is Alexandre Babeanu's card. Their email is alex@3edges.com. Their phone number is +1 604 728 8130." src="https://cdn.hihello.me/cards/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5/signature_logo.png?generated=1653502150176" width="360" style="display: inline-block; min-height: 100px;"></a><br></div></div>
<br>
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.<br>-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">---<br>David Brossard<br><a href="http://www.linkedin.com/in/davidbrossard" target="_blank">http://www.linkedin.com/in/davidbrossard</a><br><a href="http://twitter.com/davidjbrossard" target="_blank">http://twitter.com/davidjbrossard</a><br><a href="http://about.me/brossard" target="_blank">http://about.me/brossard</a><br>---<br>Stay safe on the Internet: <a href="http://www.ic3.gov/preventiontips.aspx" target="_blank">http://www.ic3.gov/preventiontips.aspx</a><br>Prenez vos précautions sur Internet: <a href="http://www.securite-informatique.gouv.fr/gp_rubrique34.html" target="_blank">http://www.securite-informatique.gouv.fr/gp_rubrique34.html</a></div>
-- <br>
policy-charter mailing list<br>
<a href="mailto:policy-charter@lists.openid.net" target="_blank">policy-charter@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/policy-charter" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/policy-charter</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"> <div style="padding:0px;margin:0px"> <table style="border-collapse:collapse;padding:0px;margin:0px"> <tbody><tr> <td style="width:113px"> <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a> </td> <td> <table> <tbody><tr> <td style="vertical-align:top"> <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Wesley Dunnington</span> <br><span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><font color="#000000">VP Architecture, Chief Architect<br> </font><a href="mailto:wesleydunnington@pingidentity.com" target="_blank">wesleydunnington@pingidentity.com</a></span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> </span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> c: 508-254-5475</span> </td> </tr> </tbody></table> </td> </tr> <tr> <td colspan="2"> <table style="border-collapse:collapse;border:none;margin:8px 0px 0px;width:100%"> <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)"> <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td> <td style="padding:4px 0px 0px 20px"> <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" style="text-decoration:none;margin-right:16px" title="Ping on Glassdoor" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png" style="border: none; margin: 0px;" alt="Glassdoor logo"></a> <a href="https://www.linkedin.com/company/21870" style="text-decoration:none;margin-right:16px" title="Ping on LinkedIn" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png" style="border: none; margin: 0px;" alt="LinkedIn logo"></a> <a href="https://twitter.com/pingidentity" style="text-decoration:none;margin-right:16px" title="Ping on Twitter" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png" style="border: none; margin: 0px;" alt="twitter logo"></a> <a href="https://www.facebook.com/pingidentitypage" style="text-decoration:none;margin-right:16px" title="Ping on Facebook" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png" style="border: none; margin: 0px;" alt="facebook logo"></a> <a href="https://www.youtube.com/user/PingIdentityTV" style="text-decoration:none;margin-right:16px" title="Ping on Youtube" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png" style="border: none; margin: 0px 0px 3px;" alt="youtube logo"></a> <a href="https://www.pingidentity.com/en/blog.html" style="text-decoration:none;margin-right:16px" title="Ping Blog" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png" style="border: none; margin: 0px;" alt="Blog logo"></a> </td> </tr> </tbody></table> </td> </tr> </tbody></table><a href="https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ" target="_blank"></a><a href="https://www.pingidentity.com/en/events/d/identify-2019.html" target="_blank"></a><a href="https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf" target="_blank"></a><a href="https://www.pingidentity.com/en/events/e/rsa.html" target="_blank"></a><a href="https://www.pingidentity.com/en/events/e/rsa.html" target="_blank"></a><a href="https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false" target="_blank"></a><a href="https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/2020/ReviewPing-EmailSignature.jpg"></a> </div><div style="padding:0px;margin:0px"><br></div></div></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>