directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: [Triplesec] [AuthZ] Authorization Managers
Date Tue, 30 Oct 2007 21:56:45 GMT

On Oct 24, 2007, at 10:51 AM, Alex Karasulu wrote:

> Authorization Managers
> ----------------------------------
> Medium to large scale application deployments within complex  
> environments occur
> often within the enterprise.  Several divisions, processes and  
> applications require
> the management of authorization policy for many groups and  
> identities.  Centralizing
> the access and administration of authorization policy improves  
> several aspects of
> management:
>   o centralized policy stores enable a standard mechanism for  
> representing
>      and accessing policy information rather than having each  
> application
>      devise it's own representation and backing store
>   o policy backup and restoration operations are simplified when  
> several
>      instances of the same application or different applications  
> use a centralized
>      policy store
>   o there is a reduced learning curve for administrators who use  
> the same tools
>      across applications to manage policy rather than having to  
> learn how to use
>      a specific tool for a each application
>   o policy audits are greatly simplified when a principal's policy  
> across all
>      applications resides in (what appears to be) a single  
> centralized location
>   o policy provisioning is also greatly simplified when policy  
> information is
>      centralized
>   o advanced capabilities in the policy store like snapshoting and  
> versioning
>      can be extended to all applications leveraging the centralized  
> store
>   o the authority to manage policy across divisions and  
> applications can be
>      parceled out to different administrators when the policy store  
> is centralized;
>      this is benefit is referred to as delegation of authority
>   o additional policy enhancing services benefit all applications  
> using a centralized
>      policy service
> Several products have emerged to centralize access to policy  
> information.  These
> products usually come bundled with programing APIs, tools, and  
> adapters to integrate
> with common existing systems which increases their uptake, and  
> usability for an
> immediate return to customers investing in the product.  Products  
> of this type, are
> often referred to as Authorization Managers and usually they are  
> included in a larger
> suite of services composing an identity solution.
> More glossary terms:
> Delegation of Authority:
>     The term given to the assignment of administrative operations  
> to specific authorities within
>     different jurisdictions to facilitate a division of management.
I don't disagree with this, but wonder if this is an authorization  
question for users of the authorization manager application itself?

> Authorization Manager:
>      A class of products found in identity management suites which  
> enables the centralized
>      management of authorization policy across applications.
I like this description of authorization managers.

david jencks
> Alex

View raw message