tag:blogger.com,1999:blog-1261371701213231895.post7556428428029877116..comments2022-10-23T10:47:14.475+02:00Comments on GenericIAM.org BLOG: The constraint universeHorst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-1261371701213231895.post-32254050542865360452012-12-03T10:44:17.419+01:002012-12-03T10:44:17.419+01:00In the original NIST RBAC, a constraint meant the ...In the original NIST RBAC, a constraint meant the segregation of duties (SoD), i.e. which role-combinations were allowed and which were not.<br /> <br /> This 'constraint universe'-article lists a lot of other constraints than the segregation of duties, but the way these constraints are used (which values of these constraints lead to which privilege restriction) indicates that they are more like attributes - attached either to the user, his organization (i.e. principal) and/or to the user's permission.<br /> <br />Thus, a user's permission can be restricted to be valid in a certain country, for a certain group of customers (if external user, then this restriction should be dependent on power of attorneys), for certain projects, for certain cost centers, etc.<br /><br />It's up to the access controllers (most often the applications) to interpret the 'constraining' attributes according to the applications' functional specification. Thus, an external user may haveĀ permission to 'external insurance policy administrator'-role andĀ the permission is restricted to be valid only within US and only for certain line of businesses. The most common restricting attribute is the external user's customer id - so common that we even don't notify that it's an attribute.<br /><br />And of course, the range of different attribute types is endless. In a centralized IdM, we should be able to create new attribute types, add new attribute values and also import attributes from existing legacy systems. Then, you are able to grant permissions and restrict them with all those attributes which are needed in the applications as they authorize users to confidential data.Anonymoushttps://www.blogger.com/profile/13446768216086980329noreply@blogger.comtag:blogger.com,1999:blog-1261371701213231895.post-91649192643272832892012-03-13T20:56:35.138+01:002012-03-13T20:56:35.138+01:00Thanks Jaylen, it would be rather interesting to k...Thanks Jaylen, it would be rather interesting to know which other constraint types are in use out there in the wild.Horst Waltherhttps://www.blogger.com/profile/03381708015477095465noreply@blogger.comtag:blogger.com,1999:blog-1261371701213231895.post-55482637302092768142012-03-13T11:15:02.145+01:002012-03-13T11:15:02.145+01:00Brilliant understanding made about constraint univ...Brilliant understanding made about constraint universe. thanks for this.<br /><br /><br /><br /><a href="http://www.jobduties.org/" rel="nofollow">Job Duties</a>jaylen watkinshttps://www.blogger.com/profile/11246576951108532477noreply@blogger.com