Return-Path: 
 <dev-return-22319-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 1083 invoked from network); 30 Oct 2007 21:57:18 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 30 Oct 2007 21:57:18 -0000
Received: (qmail 65633 invoked by uid 500); 30 Oct 2007 21:57:05 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 65596 invoked by uid 500); 30 Oct 2007 21:57:05 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 65585 invoked by uid 99); 30 Oct 2007 21:57:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Oct 2007 14:57:05 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [69.147.95.76] (HELO smtp113.plus.mail.sp1.yahoo.com)
 (69.147.95.76)
    by apache.org (qpsmtpd/0.29) with SMTP; Tue, 30 Oct 2007 21:57:08 +0000
Received: (qmail 13546 invoked from network); 30 Oct 2007 21:56:48 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:X-YMail-OSG:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer;
  b=Ce2jmYAf3ugJFBM2XprSOKhekLl8GTXW0llw5FSfFT4md/t+0N7poDGTk3pE2OCtrTVYVkCbwRQNZwPwT7578RcTQYx2gJX/WgpKfxWDevBg5Jebvamh9sPCDY9wY4dfJRySsGLSrskhg2vZitWAr0b13uGKmOjm0jUR2HCJRnw=
  ;
Received: from unknown (HELO ?192.168.1.101?) (david_jencks@67.102.173.8 with
 plain)
  by smtp113.plus.mail.sp1.yahoo.com with SMTP; 30 Oct 2007 21:56:48 -0000
X-YMail-OSG: 
 33y3XmkVM1lW9s6I02liVNErAR36u8kiZ_DKNW8gEJo0hghAMGXiIy2ENTrcgjPOZ5ALGcRjUw--
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <a32f6b020710241051x52069ee7kd8d6852f1b951939@mail.gmail.com>
References: <a32f6b020710241051x52069ee7kd8d6852f1b951939@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <8FD182EB-C6CE-4642-8F07-3C4B831E7534@yahoo.com>
Content-Transfer-Encoding: 7bit
From: David Jencks <david_jencks@yahoo.com>
Subject: Re: [Triplesec] [AuthZ] Authorization Managers
Date: Tue, 30 Oct 2007 14:56:45 -0700
To: "Apache Directory Developers List" <dev@directory.apache.org>
X-Mailer: Apple Mail (2.752.3)
X-Virus-Checked: Checked by ClamAV on apache.org


On Oct 24, 2007, at 10:51 AM, Alex Karasulu wrote:

> Authorization Managers
> ----------------------------------
>
> Medium to large scale application deployments within complex  
> environments occur
> often within the enterprise.  Several divisions, processes and  
> applications require
> the management of authorization policy for many groups and  
> identities.  Centralizing
> the access and administration of authorization policy improves  
> several aspects of
> management:
>
>   o centralized policy stores enable a standard mechanism for  
> representing
>      and accessing policy information rather than having each  
> application
>      devise it's own representation and backing store
>
>   o policy backup and restoration operations are simplified when  
> several
>      instances of the same application or different applications  
> use a centralized
>      policy store
>
>   o there is a reduced learning curve for administrators who use  
> the same tools
>      across applications to manage policy rather than having to  
> learn how to use
>      a specific tool for a each application
>
>   o policy audits are greatly simplified when a principal's policy  
> across all
>      applications resides in (what appears to be) a single  
> centralized location
>
>   o policy provisioning is also greatly simplified when policy  
> information is
>      centralized
>
>   o advanced capabilities in the policy store like snapshoting and  
> versioning
>      can be extended to all applications leveraging the centralized  
> store
>
>   o the authority to manage policy across divisions and  
> applications can be
>      parceled out to different administrators when the policy store  
> is centralized;
>      this is benefit is referred to as delegation of authority
>
>   o additional policy enhancing services benefit all applications  
> using a centralized
>      policy service
>
> Several products have emerged to centralize access to policy  
> information.  These
> products usually come bundled with programing APIs, tools, and  
> adapters to integrate
> with common existing systems which increases their uptake, and  
> usability for an
> immediate return to customers investing in the product.  Products  
> of this type, are
> often referred to as Authorization Managers and usually they are  
> included in a larger
> suite of services composing an identity solution.
>
> More glossary terms:
>
> Delegation of Authority:
>     The term given to the assignment of administrative operations  
> to specific authorities within
>     different jurisdictions to facilitate a division of management.
>
I don't disagree with this, but wonder if this is an authorization  
question for users of the authorization manager application itself?

> Authorization Manager:
>      A class of products found in identity management suites which  
> enables the centralized
>      management of authorization policy across applications.
>
I like this description of authorization managers.


thanks
david jencks
> Alex