Jan Schoonderbeek: piclinkfix

2013-05-07T17:13:17Z

piclinkfix

← Older revision		Revision as of 17:13, 7 May 2013
Line 13:		Line 13:
	===Further notices===		===Further notices===
	It is a good practice to limit digital identities to natural persons and discrete systems. If this is the case, then the validation of such digital identities (and the logs thereof) has meaning in a legal context. This is of particular importance for the process of Auditing.		It is a good practice to limit digital identities to natural persons and discrete systems. If this is the case, then the validation of such digital identities (and the logs thereof) has meaning in a legal context. This is of particular importance for the process of Auditing.

	{{Pattern Realizes		{{Pattern Realizes
	\|service=GS.Authentication+Authorization		\|service=GS.Authentication+Authorization
	}}		}}
	{{Pattern Graphic		{{Pattern Graphic
	\|graphic~~=No graphic yet.png~~		\|graphic=GP.Authentication+Authorization.png
	~~\|source~~=GP.Authentication+Authorization.png
	\|size=527px		\|size=527px
	\|title=Generic Pattern for Authentication & Authorization		\|title=Generic Pattern for Authentication & Authorization

Jan Schoonderbeek: GP created

2013-05-07T17:12:15Z

GP created

New page

{{Maturity|3}}
{{Pageheaderbox4GP
|name=Authentication & Authorization
|sector=Core
|version=0.2
|owner=J.A.H. Schoonderbeek
|summary=Helps to secure IT facilities and applications by validating digital identities and permissions.
}}
This Pattern helps to secure IT facilities and applications by validating digital identities and permissions. In effect, this Pattern carries out some of the automated parts of the Authentication and Authorization process - note that many steps in this process are not automated, but are carried out by human beings. Authentication is done when someone wants to make sure - to a certain extend - that a claim that a subject makes on a digital identity is true. A special form of authentication is identification, which is a check that finds a match between a subject and a digital identity. Authorization is the process of granting rights to a subject to use a certain resource; the exercising of these rights is then subject to validation, which can be carried out automatically.

When it comes down to the use of automated systems and data, a process is needed to check if someone is entitled to this use. This means that records are made of authorizations (permissions), that need to be validated if someone is issuing rights (Permission Validation). To identify a digital user as a real world person or system, the digital identity (a digital representation of the real world identity) claim is validated by means of comparing one or more credentials that are provided during the validation with credentials that were stored earlier when the digital identity was created and administered (e.g. password hashes, biometric hashes, tokens, certificates). Thus, the Identity Validation function is an automated rematch of the real identity with the digital identity of a user. The Permission Validation function is an automated check whether a user has the right permissions to use a certain resource or data

===Further notices===
It is a good practice to limit digital identities to natural persons and discrete systems. If this is the case, then the validation of such digital identities (and the logs thereof) has meaning in a legal context. This is of particular importance for the process of Auditing.

{{Pattern Realizes
|service=GS.Authentication+Authorization
}}
{{Pattern Graphic
|graphic=No graphic yet.png
|source=GP.Authentication+Authorization.png
|size=527px
|title=Generic Pattern for Authentication & Authorization
|kind=Generic
}}
{{Generic Pattern Composition}}
{{Generic Pattern Composition Row
|function=GF.Identity Store
|choice=Must
|reason=This function is required because it offers the Identity Validation the data it needs to perform the validation.
}}
{{Generic Pattern Composition Row
|function=GF.Identity Validation
|choice=Must
|reason=This function delivers the functionality of validating a digital identity.
}}
{{Generic Pattern Composition Row
|function=GF.Permission Register
|choice=Must
|reason=This function provides Permission Validation with the ability to retrieve the current valid (set of) permissions. Note that the permissions themselves likely have a relation with a (particular) Identity Store, since many permissions are granted based on identity attributes like user ID, group membership or (for example) Job Title.
}}
{{Generic Pattern Composition Row
|function=GF.Permission Validation
|choice=Must
|reason=If authorization is needed, then this function will provide it. Note that it requires access to a Permission Register, but most likely also to an Identity Store, since many permissions are granted based on identity attributes like user ID, group membership or (for example) Job Title.
}}
{{Generic Pattern Composition Row
|function=GF.Controlling
|choice=Must
|reason=The purpose of this function within the Pattern is to focus the attention on the security aspects of an available means to read and/or alter the content of either the Identity Store or the Permission Register.
}}
{{Table Ending}}
{{Pattern Adjacent Services}}
{{Generic Pattern Adjacent Service Row
|service=GS.Data Transport
|choice=Must
|reason=There are Data Transport instances used within the Pattern, between the Pattern and adjacent services, and between the Pattern and the consumers of its realized services. These must be secured sufficiently to guarantee the integrity of the Pattern and its operations.
}}
{{Generic Pattern Adjacent Service Row
|service=GS.Identity+Permission Management
|choice=May
|reason=To maintain the information in the Identity Store and Permission Register, the Identity & Permission Management Pattern is required. It provisions accounts, ensures information is kept correct and current, and makes auditing possible, both on granted permissions and on changes in identity and/or permission information itself.
}}
{{Table Ending}}
{{Text Footer GP}}

GP.Authentication+Authorization - Revision history

Jan Schoonderbeek: piclinkfix

Jan Schoonderbeek: GP created