Authorization

September 11, 2015

Context-based authorization

Data model

Triples:

  • Who (subject)
  • Does what (verb)
  • To which (object)
  • In what context
    • Authorizing entity
    • Audience
    • Environment
    • Facility
    • Equipment
    • etc.

Example

Subjects      Verbs      Programs     Verbs     Authorizers
-----------------------------------------------------------

                     r           rw
Alice -----============> Apple <=========---- Carol (OAuth)
          /          r           rw      \
         /                                \
        /           rw            rw       \
Bob   -----------------> Banana <--------------- Dave (2FA)
        \                                  /
         \           w          rw        /
          `------------> Pear <----------'

Alice has:

  • read access to assets in the Apple program

Bob has:

  • read access to assets in the Apple program
  • read/write access to assets in the Banana program
  • write (e.g. deploy) access to assets in the Pear program

Carol is an authorizer who may grant:

  • read/write access to assets in the Apple program

Dave is an authorizer who may grant:

  • read/write access to assets in the Apple program
  • read/write access to assets in the Banana program
  • read/write access to assets in the Pear program

Flow

  1. Subject establishes an authorization context
    • Depends on people present, facility security, etc.
  2. Subject requests authorization from an authorizer
  3. Authorizer grants an authorization context
    • The intersection of the accesses of the subject, context, and authorizer
  4. Subject uses the authorization context as a key to access assets

Access control

Strategies

  1. Tagged access control
  2. Context-based access control
  3. Context-based tagged access control

Tagged access control

Tagged access control is an approach to decoupling authorization logic from data models used to represent users and resources. This makes it trivially easy to support both changes and additions to user and resource data models over time.

Given a user, some actions, and a resource:

 O                    .
-+-      <access>     ├── dir1
 |                    |   └── file1
/ \      <modify>     └── file2

User      Actions     Resources

The user is granted access to perform certain actions for certain tags:

          access
 O  -----------------> tagX, tagY
-+- 
 |        modify
/ \ -----------------> tagY

User      Actions      Tags
  • User can access tagX and tagY
  • User can modify tagY

The resource is marked with a tag:

.
├── dir1      ---------> tagX
|   └── file1 ---------> tagX
└── file2     ---------> tagY

Resource                 Tag
  • dir1 and file1 are both marked with tagX
  • file2 is marked with tagY

The user may perform an action on a resource if they have access to the resource's tag:

  • User can access dir1 and file1
  • User can access and modify file2

Context-based access control

Context-based access control addresses the need to limit access levels based on domain-specific constraints, such as the audience present, the networks utilized, the location occupied, etc.

Given two users, two resources, and access levels:

  O          .                  O
 -+- ------> ├── file1         -+-
  |  ------> ├── file2 <------  |
 / \         └── file3 <------ / \

User1        Resources        User2
  • User1 has access to file1 and file2
  • User2 has access to file2 and file3

If User1 and User2 are having a conversation, they are limited to discussing file2, since the intersection of their accesses excludes file1 and file3.

This also works for grantees that aren't users:

  O          .                 .~~~~~~.
 -+- ------> ├── file1         ;      ;
  |  ------> ├── file2 <------ ;      ;
 / \         └── file3 <------ '~~~~~~'

User1        Resources        Office LAN
  • User1 has access to file1 and file2
  • Office LAN has access to file2 and file3

If User1 needs to access file2, it must be done from Office LAN, since only the intersection of their accesses includes file2.