-
Notifications
You must be signed in to change notification settings - Fork 2
Authorization Overview
StephenCote edited this page Dec 16, 2014
·
8 revisions
Account Manager 5 supports several authorization models, principally list-, role- and attribute-based access controls, and includes support for Separation of Duty (SoD). At the atomic level, entitlements are stored and managed using the Participation Access Control model.
Account Manager 5 authorization capabilities established by Participation-Based Access are exposed through the following services:
- Participation Access Control - Factories and data models for storing entity-level entitlement effects and memberships.
- Internal Authorization Service follows internal business logic checks, may or may not make direct Participation Access checks, and then relies on the Effective Authorization Service. Use the Internal Authorization Service when using factory services to assert whether or not a User is authorized to perform an activity on an Account Manager entity.
- Effective Authorization Service uses a set of database views and functions to access a role and entitlement mapping permissions to actors to entities. When entitlements, groups, or roles change, the service rebuilds the corresponding caches for the corresponding entities. Use the Effective Authorization Service when working with custom permissions, groups, and roles, preferably where those permissions are not default permissions.
- Base Authorization Service is an abstract service class that translates JEE servlet requests into auditable requests. Use the Base Authorization Service as an entry point for public or Web-based requests into Account Manager operations.
- Authorization as a Service (Azaas) is a service able to correlate identity, application, attribute, context and operational facts with a rule-driven policy, and produce a decision for an authorized claimant. Separation of Duty evaluation is supported via the RuleType with its RuleEnumType set to SEPARATION_OF_DUTY. Activities can be created to abstract entitlements using DirectoryGroupType objects. SoD rules may be executed independently, or integrated with other authorization rules.