https://www.infra-repository.org/oiar-2013/index.php?action=history&feed=atom&title=BT.Permission_ValidationBT.Permission Validation - Revision history2026-05-06T13:14:53ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.infra-repository.org/oiar-2013/index.php?title=BT.Permission_Validation&diff=77&oldid=prevJan Schoonderbeek: start2012-11-11T23:22:21Z<p>start</p>
<p><b>New page</b></p><div>{{Maturity|3}}<br />
{{Pageheaderbox4BBT<br />
|name=Permission Validation<br />
|WorkingArea=Middleware (MW)<br />
|version=0.3<br />
|owner=J.A.H. Schoonderbeek<br />
}}<br />
A Permission Validation facility offers the ability to decide on allowing or blocking a proposed action by a digital identity. In essence, it can answer the question "is entity X allowed to perform action Y on object Z?". The facility must be offered an identity attribute representing a digital identity, and a suitable representation of the proposed action and object. The facility then checks the data offered against a set of rules that describe the relevant access policies, and responds with a yes/no (true/false).<br><br />
An example of an identity attribute would be a username; an example of a proposed action would be "read"; an example of an object would be "a particular file". The Permission Validation facility must respond with a message, either that the action is allowed or not.<br />
<br />
Permission Validation is an important part of Authentication and Authorization. Beware, however, that Permission Validation is NOT synonymous to Authorization. Authorization roughly looks like this:<br />
* For a particular set of resources, e.g. access to the country from abroad, the security officer decides on a required level of authentication, e.g. people must authenticate using a passport.<br />
* Next, the requirements for allowing or disallowing access are formulated, usually in cooperation between the business and a security officer. The requirements are usually in the form of business rules. As an example: for resource "access to our country", the business rules could be a.o. "not if the identity appears on the list 'wanted terrorists' or 'wanted criminals'", "not when <person appears to be a work migrant> AND <work visa is absent>".<br />
* Then, the security officer determines or appoints an access point, where permission validation will take place, e.g. a border checkpoint.<br />
* Finally, a process is put in place to validate the required actions, e.g. the border checkpoint check of the passport name against the database of wanted persons, and the baggage check.<br />
<br />
Note that Authorization means that someone (himself authorized to do so) makes decisions on the needed level of authorization, and on the rules that decide on allowing or disallowing access; thus the process of authorization always involves a security officer. Permission validation is only an automated means for ''part'' of that process, the correct deployment of which must itself be checked by a security officer.<br />
<br />
To validate an action, the Permission Validation facility needs access to one or more [[BT.MW.Permission Store|Permission Stores]]. Note that the permission store in itself is not part of the Permission Validation facility.<br />
{{FunctionIcon<br />
|image=Icon BBT Permission Validation.png<br />
}}<br />
{{BBT Text Footer}}</div>Jan Schoonderbeek