Context-based authorization by program access level

September 11, 2015

Data model

Triples:

  • Who (subject)
  • Does what (verb)
  • To which (object)
  • In what context
    • Authorizing entity
    • Audience
    • Environment
    • Facility
    • Equipment
    • etc.

Example

Subjects      Verbs      Programs     Verbs     Authorizers
-----------------------------------------------------------

                     r           rw
Alice -----============> Apple <=========---- Carol (OAuth)
          /          r           rw      \
         /                                \
        /           rw            rw       \
Bob   -----------------> Banana <--------------- Dave (2FA)
        \                                  /
         \           w          rw        /
          `------------> Pear <----------'

Alice has:

  • read access to assets in the Apple program

Bob has:

  • read access to assets in the Apple program
  • read/write access to assets in the Banana program
  • write (e.g. deploy) access to assets in the Pear program

Carol is an authorizer who may grant:

  • read/write access to assets in the Apple program

Dave is an authorizer who may grant:

  • read/write access to assets in the Apple program
  • read/write access to assets in the Banana program
  • read/write access to assets in the Pear program

Flow

  1. Subject establishes an authorization context
    • Depends on people present, facility security, etc.
  2. Subject requests authorization from an authorizer
  3. Authorizer grants an authorization context
    • The intersection of the accesses of the subject, context, and authorizer
  4. Subject uses the authorization context as a key to access assets