SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 106 of 233
7.4. Access Control Information Model
In the following information model for the realisation of access control is presented with a reference to the corresponding OASIS standards.
7.4.1 Model for Subject Related Information
In the description of the SensorSA access control concepts in section 6.8.2 a Subject has
been introduced as the requestor of a service operation who represents the acting entity, whereas an acting entity may be a user or a software component, e.g. a service instance. The profile and
identity model defines the basic concepts related to a subject that support the tasks of the access control pattern introduced in section 6.8 and related services as described in section 8.3. The
following elements of a subject-related information model are defined:
-
Profile
-
Identity
-
Group
-
Role
-
Policy
7.4.2 Profiles and Identities
A profile is the abstract representation of a subject, i.e., it is characterised by a set of attributes that describe a subject. The profile information comprises associated identities and may therefore
serve as container of logical pointers to identities. The definition of a complete profile schema is out of the scope of the SensorSA information model for access control as it is application
dependent. For instance, a profile attribute could be the social security number to be able to identify the real word user behind the subject, or it could contain the phone number to contact a
responsible person or the signature of a software agent. The definition of profile attributes is a application design decision.
In order to perform an authorised action e.g. a service request a subject represented by his profile has to provide a proof of authenticity so that a service provider can decide whether the
requested action is in line with the service provider‟s access policy. A subject may present different identities, possibly authenticated with different authentication mechanisms, for different
actions. Thus, a single profile may have multiple identities .By decoupling profiles from identities, on the one hand information not relevant for authorisation decisions can be kept away
from the access control mechanisms, and on the other hand requirements like single sign-on SSO can be easily supported. The separation of profiles and their associated identities reflects
the real life situation in which a single subject i.e. a single profile may have an arbitrary number of identities for particular purposes. A subject may authenticate one or more of its
profile‟s identities and thus accumulate access rights in disparate security domains systems, networks and organisation.
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 107 of 233
Profiles are managed created, deleted, etc. using an instance of the Profile Management Service see section 8.3.2. Profile attributes are used to store arbitrary profile related
information e.g. first name, last name, address, e-mail. Identities are managed created, deleted, etc. using an instance of the Identity
Management and Authentication Service see section 8.3.3 . Identity attributes are used to store information that can be the basis for an authorisation
decision. The Identity Management and Authentication Service acts as an identity provider. The manner in which identity information is managed is up to the particular identity provider as
different authentication mechanisms e.g. public keysecret infrastructures or loginpassword require different identity related information. In this way the task “profile management” see
section 6.8.3.1 can act independently of the methods applied in the task “authentication” see
section 6.8.3.3 and vice-versa.
cd Profile and Identity
Identity
+ active: boolean + id: integer
+ origin: string
Profile
+ attributes: ProfileAttributesType + id: integer
+ origin: string
0.. 1
Figure 7-3: Profiles and Identities 7.4.3
Groups
A group is modelled as a special type of identity that is composed of a set of identities. Group att
ributes are used to hold common properties of its members‟ identities. An identity that is a member of a group automatically inherits all identity attributes of that group as after login all
related group identities are included in the SAML assertion session information. Thus, groups facilitate administrative operations which need to be applied to a number of identities of a single
Identity Management and Authentication Service instance.
A group can be treated as an ordinary identity by an instance of the Policy Management and Authorisation Service see section 8.3.4. Therefore, writing policies for groups does not
differ from writing policies for any other identity. Management of groups is done according to
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 108 of 233
the management of identities in instances of the Identity Management and Authentication Service see section 8.3.3.
cd GroupIdentity
IdentityType
AttributedIdentity
+ attributes: IdentityAttributesType
GroupIdentity
+ groupname: string
Identity
+ active: boolean + id: integer
+ origin: string
1.. 0..
Figure 7-4: Groups are special Identities
Groups can only be defined on the level of a single Identity Management and Authentication Service instance, since the concrete representation of identities, and thus groups,
may vary from instance to instance. To allow cross domain Identity Management and Authentication, and thus cross security domain enforcement of access rights, the concept of roles
is used.
7.4.4 Roles