Spocp@nordunet2003 August 20, 2003 Slide 1 A Middleware Service for Policy Based Authorization...
-
Upload
barrie-glenn -
Category
Documents
-
view
213 -
download
1
Transcript of Spocp@nordunet2003 August 20, 2003 Slide 1 A Middleware Service for Policy Based Authorization...
Spocp@nordunet2003August 20, 2003
Slide 1
A Middleware Service for Policy Based Authorization
Presentation at Nordunet 2003 by Roland Hedberg
Spocp@nordunet2003August 20, 2003
Slide 2
Why middleware services ?
TODAY: The application portfolio of most corporations are a patchwork of independent systems.
FUTURE: To efficiently build and integrate applications using a unified approach and a single platform for application development and integration.
Spocp@nordunet2003August 20, 2003
Slide 3
Key benefits of middleware
A common application programming/protocol interface across all platforms
Shields from complexity
Improve controllability, simpler administration
Improve productivity, efficiency and service
Spocp@nordunet2003August 20, 2003
Slide 4
Spocp
Simple POlicy Control Pod
Swedish/Norwegian development project
Started 1 june 2002, will run at least until 31 May 2004
Will be used by the NyA and “Ladok på web” services
Will be implemented as the authorization system at Stockholm university
Spocp@nordunet2003August 20, 2003
Slide 5
Spocp – key features
Built around a well defined rule syntax (S-expression), no specified semantics
Should be possible to model almost any kind of policies
Allows for the usage of external information services through 'boundary conditions'
Can be placed as 'close' to the application as needed
A positive answer can be ackompanied by additional information
Spocp@nordunet2003August 20, 2003
Slide 6
Rule basics
Everything that is not explicitly permitted is prohibited
Only positive rules exists
Every rule allows someone to do something
No order between rules
A request is granted if there is a rule in the rule database to which the query is a subset
Spocp@nordunet2003August 20, 2003
Slide 7
Lessons learnt so far
Sofar we have failed to find policies that can not be translated into S-expression.
Seems to be fast enough for the applications tested
Technology as usual only part of the game
When the number of policies increases and is managed in a decentralized way it is essential that one can test whether the combined policies really expresses what they should.
Tools for 'Post mortem' analysis necessary