Versions Compared

Old Version 2

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 3

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Todd from University of Illinois reported out on this hierarchy breakout:

Started The group started talking about University of Illinois at  Urbana-Champaign.

CASECase: Developing authorization system for networking objects such as switchers, ports, routers, VLANS.

Have database system that contains that for the campus networks. Need to authorize campus users to query the info they need. Using groups as grantees. Privileges are create, update, read.

Important Questions InvolvedQuestion:

- is there an accepted model for how to assign these priv?

...

One of the things we want to assign permissions to is network ports and VLANS. So  So a user can only modify a port if its it's on a VLAN they have permission to.

So do Do we combine those things and have port to VLAN relationship or do we have each have the unit and have business logic such as "if user X wants to do something they must have this priv AND this priv" ?

...

How to navigate the inheretance of the priv privileges themselves?

A couple of options. Depends on application situation.

...

But when there's an update, then the business logic needs to recalibrate for child objects

1.     it's on query time

and

2 it's on update time

PaulH: From recap it It sounds like inhereitiance is applied to resources. In perMIT, inheretence is applied to the scope, not the resource.
It's more about the data:.

Todd:   in our case you have a layer at Univ. of Illinois, there is a Layer 3 network and have there are VLANs that are a part of that. Ports on that VLAN.

Model says "this VLAN is in this network." Inheretence could be such that we assign privilege to the network so that
Priv cascades.

Do you instatiate priv for all of those things?

Then at query time you canm look at an object in the tree or ?

Paul: our database does the authorization , you can query at any leaf or node.

Todd Im a database developer, I think of what's in the tables and what is returned

Chris: grouper has had some perf problems w computing all of the leafs

So we compute the branches up to the leafes,  and we can get a result in one query

But we don't have to have a database full of every leaf

Jon wanted to call attention to a theme that was interesting: expansion of authorization info to make vast decisions.

Didn't know much about grouper or permit coming into this event. And learned there are people trying to do what we wanted to do
In the database may rival the size of the database it is protecting?

Something told me it's wasteful but maybe not.

Authorization just demands resources so you need to put resources to it.

Rl BOB : can't resist piling on:  it's all risk management.  Expend resources on that or expend resources on news that results from security disaster of no access management privilege cascades.