https://www.infra-repository.org/oiar-2013/index.php?action=history&feed=atom&title=PAT.Authentication%2BAuthorizationPAT.Authentication+Authorization - Revision history2026-05-06T16:32:23ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.infra-repository.org/oiar-2013/index.php?title=PAT.Authentication%2BAuthorization&diff=540&oldid=prevDaniel Jumelet at 23:22, 11 November 20122012-11-11T23:22:21Z<p></p>
<p><b>New page</b></p><div>{{Maturity|3}}<br />
{{Pageheaderbox4PatternType<br />
|PATname=Authentication & Authorization<br />
|summary=Secures usage of facilities and applications by validating identities and permissions<br />
|version=0.1<br />
|owner=J.A.H. Schoonderbeek<br />
|sector=Infrastructure Sector Core<br />
}}<br />
<br />
In fact Authentication and Authorization are functions that are carried out by human beings. Authentication is done when someone wants to make sure - to a certain extend - that a claim about a subject is true. A special form of authentication is identification, which is a check of the identity of a subject. Authorizations is the process of granting rights to a subject to use a certain resource. <br />
<br />
When it comes down to the use of automated systems and data, a process is needed to check if someone is entitled to this use. This means that records are made of authorizations (permissions), that need to be validated if someone is issuing rights (Permission Validation). To identify a digital user as a real world person or system, the digital identity (a digital representation of the real world identity) claim is validated by means of comparing one or more credentials that are provided during the validation with credentials that were stored earlier when the digital identity was created and administered (e.g. password hashes, biometric hashes, tokens, certificates). Thus, the Identity Validation function is an automated rematch of the real identity with the digital identity of a user. The Permission Validation function is an automated check whether a user has the right permissions to use a certain resource or data<br />
<br />
===Further notices===<br />
* It is a good practice to limit digital identities to Natural Persons and Physical Systems. In that case, the validation of this type of digital identities (and it's logging) does have meaning in a legal context. <br />
* Identity Validation can also be used in conjunction with logging, which makes the process of Auditing possible in a way that does have meaning in a legal context, if digital identities are limited to Natural Persons and Physical Systems.<br />
<br />
{{PAgraphic<br />
|graphic=PAT.Authentication+Authorization.png<br />
|source=Pattern Types.vsd<br />
|size=500px<br />
|title=Authentication & Authorization Pattern<br />
|kind=Type<br />
}}<br />
{{Pattern Type Composition}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Identity Validation<br />
|choice=must<br />
|reason=This facility delivers the functionality of validating a digital identity.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Identity Store<br />
|choice=must<br />
|reason=This facility is required because it offers the Identity Validation the data it needs to perform the validation.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Permission Validation<br />
|choice=may<br />
|reason=If authorization is needed, then this facility will provide it. Note that it requires access to a Permission Register, but most likely also to an Identity Store, since many permissions are granted based on identity attributes like user ID, group membership or (for example) Job Title.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Permission Register<br />
|choice=may<br />
|reason=This facility provides Permission Validation with the ability to retrieve the current valid (set of) permissions. Note that the permissions themselves likely have a relation with a (particular) Identity Store, since many permissions are granted based on identity attributes like user ID, group membership or (for example) Job Title.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Control Interface<br />
|choice=may<br />
|reason=The purpose of this facility within the Pattern is to focus the attention on the security aspects of an available means to read and/or alter the content of either the Identity Store or the Permission Register.<br />
}}<br />
{{Table Ending}}<br />
{{Pattern Type Neighbors}}<br />
{{Pattern_Type_Adjacent_PAT_Row<br />
|pattern=PAT.Identity+Permission_Management<br />
|choice=may<br />
|reason=To maintain the information in the Identity Store and Permission Register (if present), the Identity & Permission Management Pattern is required. It provisions accounts, ensures information is kept correct and current, and makes auditing possible, both on granted permissions and on changes in identity and/or permission information itself.<br />
}}<br />
{{Table Ending}}<br />
{{PATfooter}}</div>Daniel Jumelet