Subjects Verbs Programs Verbs Authorizers
-----------------------------------------------------------
r rw
Alice -----============> Apple <=========---- Carol (OAuth)
/ r rw \
/ \
/ rw rw \
Bob -----------------> Banana <--------------- Dave (2FA)
\ /
\ w rw /
`------------> Pear <----------'
Alice has:
read access to assets in the Apple program
Bob has:
read access to assets in the Apple program
read/write access to assets in the Banana
program
write (e.g. deploy) access to assets in the Pear
program
Carol is an authorizer who may grant:
read/write access to assets in the Apple
program
Dave is an authorizer who may grant:
read/write access to assets in the Apple
program
read/write access to assets in the Banana
program
read/write access to assets in the Pear
program
Flow
Subject establishes an authorization context
Depends on people present, facility security, etc.
Subject requests authorization from an authorizer
Authorizer grants an authorization context
The intersection of the accesses of the subject, context, and
authorizer
Subject uses the authorization context as a key to access
assets