Difference between revisions of "Authorization"
From MgmtWiki
(→Context) |
|||
| Line 6: | Line 6: | ||
* The challenge of [[Authorization]] can be modeled as a decision theory where [[Authorization]] of access is granted after the [[Authorization]] service has evaluated the [[Claim]]s presented and made a single decision about access where the [[Identity]] of the [[Subject]] is assumed to haven been appropriately [[Authentication]]. In the case of a failed [[Authorization]] the [[Subject]] was typically given instructions on the appropriated manual procedures to be follow to gain access to the resource. This method worked well within the confines of an [[Enterprise]] or [[Federation]] that had established the appropriate method for [[Authentication]]. | * The challenge of [[Authorization]] can be modeled as a decision theory where [[Authorization]] of access is granted after the [[Authorization]] service has evaluated the [[Claim]]s presented and made a single decision about access where the [[Identity]] of the [[Subject]] is assumed to haven been appropriately [[Authentication]]. In the case of a failed [[Authorization]] the [[Subject]] was typically given instructions on the appropriated manual procedures to be follow to gain access to the resource. This method worked well within the confines of an [[Enterprise]] or [[Federation]] that had established the appropriate method for [[Authentication]]. | ||
*In the long term game theory would be a better model where the attacker and the [[Authorization]] process are engaged in a duel to gain illicit access to the resource. | *In the long term game theory would be a better model where the attacker and the [[Authorization]] process are engaged in a duel to gain illicit access to the resource. | ||
| − | |||
==Problems== | ==Problems== | ||
| + | The more challenging problem of [[Authorization|Authorizing]] access to a [[Subject]] arriving over the public internet is that the level of [[Authentication]] that has been applied to the [[Subject]] may be adequate for initial access, but is insufficient for full access to all resources. It is that use case which is considered here. | ||
==Solutions== | ==Solutions== | ||
| − | + | [[Bayesian Identity Proofing]] provides the means for a collection of authentication and verification steps to be validated. | |
==References== | ==References== | ||
Revision as of 11:37, 30 December 2018
Full Title or Meme
An action that will give a user an Access Token to a protected resource.
Context
- Previously Authorization was considered to be the second step after the Subject had been successfully Authenticated.
- The challenge of Authorization can be modeled as a decision theory where Authorization of access is granted after the Authorization service has evaluated the Claims presented and made a single decision about access where the Identity of the Subject is assumed to haven been appropriately Authentication. In the case of a failed Authorization the Subject was typically given instructions on the appropriated manual procedures to be follow to gain access to the resource. This method worked well within the confines of an Enterprise or Federation that had established the appropriate method for Authentication.
- In the long term game theory would be a better model where the attacker and the Authorization process are engaged in a duel to gain illicit access to the resource.
Problems
The more challenging problem of Authorizing access to a Subject arriving over the public internet is that the level of Authentication that has been applied to the Subject may be adequate for initial access, but is insufficient for full access to all resources. It is that use case which is considered here.
Solutions
Bayesian Identity Proofing provides the means for a collection of authentication and verification steps to be validated.
