This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Entitlement Example
Entitlement Example

Version management

Difference between version and

At line 1 added 55 lines
!!! Overview
[Roles] and [Entitlements] are hard and complex.
We typically strive to utilize the [Access Control Model] called [Adaptive Policy-based Access Management] ([APAM]).
In our simplified [Example] we will try to put together an [{$pagename}] that will hopefully help.
Think about how the day to day Business Functions. We will use a bank, but the concept is common across all businesses.
!! "Bank Teller"
For a "Bank Teller" to do their job, the "Bank Teller", for each branch they work in, needs:
* Access to the Building they work in
* Use Coffee Machine
* Use Teller Machine
Each of these [Entitlements] requires some [Privilege] for [Access Control] in the different systems.
Each of these individual [Entitlements] make up the "Bank Teller" [Role]
!! "Bank Manager"
Likewise the "Bank Manager" of the Bank Branch needs:
* Access to the Building they work in.
* Use Coffee Machine
* Use Teller Machine
AND
* Able to lock and un-lock Building door
* Able to Arm and Dis-Arm Security
* Able to lock and un-lock safe
* Administer Teller Machine
* Spend <=$500
* Manage Key Cards for Building
Each of these individual [Entitlements] make up the "Bank Manager" [Role]
!! The Big Question
In day-to-day operations we are always trying to answer the question, can this [user|Digital Identity] have access to this [resource]?
In our Bank teller example, [Alice] shows up at the bank's door and the "door system" needs to know should I let [Alice] ([Alice] is a [Digital Identity]) in?
The "door system", in this example, is the [Policy Enforcement Point] ([PEP]), sends:
* [Alice]'s UserID
* building Number
* door number
to the [Policy Decision Point] ([PDP]) asking: can I let [Alice] in?
The [Policy Decision Point] ([PDP]) runs the rule check ([Policy]) to determine if [Alice] is allowed (i.e. has the [Privilege]) to have "[Access] to the Building they work in" and returns Yes or No.
The [Policy Decision Point] ([PDP]) may use any [Entitlement parameter values] and other data such as [Adaptive Risk] [data]. For example, is [Alice], at the [geolocation]?
In our [example] above, the [Role] might be "Bank Teller" or "Bank Manager". Each [Role] consists of one or more [Entitlements] which may have Zero or more [Entitlement parameter values].
[Entitlements] typically have [Entitlement parameter values]. As an [example] the [entitlement]:\\
"Access to the Building they work in" might have a multi-valued attribute to Identity which Buildings the entity "Works In" These values are typically driven from an attribute form the [Digital Identity].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop