Professional Documents
Culture Documents
an Authoritative Source?
Roger Westman, CISSP
September 2, 2009
■ Purpose
– Propose a starting definition for the Community
– Highlight some known items of interest
■ Assumptions
– Privilege Management focus
– Audience has understanding of access control
■ Constraints
– Not addressing information management aspects of authoritativeness
– Not addressing all Producer vs. Consumer authoritative issues
– Not addressing all technical implementation issues
Authoritative Sources
Pro m er
du onsu
ce r C
Consumer
Consumer
u cer Co
d
Pro Arbitrators
nsu
m er
Is ok for this?
Partners
© 2009 The MITRE Corporation. All rights Reserved.
Authoritative Source Does NOT Default to a …
PL AS
TA AS EL AS
TA AS EL AS
Consumers of EL AS PL AS
authoritative data PL AS
© 2009 The MITRE Corporation. All rights Reserved.
Enterprise Level (EL) Authoritative Source
Authorization
Protected Service
User Resource (PR)
Policy Enforcement Policy Decision
Point (PEP) Point (PDP)
Enterprise
AAS
Attribute Attribute
Service Service
Extended
AAS
Cached
Extended Local
Enterprise
AAS AAS
AAS
© 2009 The MITRE Corporation. All rights Reserved.
Suggested Next Steps