I am currently attempting to design an Authorization Model that has the following components:
Privileges - an action that can either be granted or denied to a user/group
Roles - a collection of privileges; roles can be associated with a user or group
Security Objects - the entity to which security is applied
Object Owners - the owner of a security object
Statuses - an attribute that represents the state of a security object
Users - standard consumer of the service; can be denied or granted access to do things
Groups - a collection of users sharing a common thing; roles can be assigned to groups; privileges can be assigned to groups
My questions is as follows: Is there a way to properly model the context of a role with the current components that I presented above?
For instance, let's say i have the current authorization statement:
Tim can see Mary's profile information because Tim is Mary's friend.
I can dissect this statement into the model components:
User: Tim
Security Object: profile information
Object Owner: Mary
Privilege: view
Role: friend
Group: N/A?
Status: N/A
One thing that this dissection does not attribute is that Tim is a friend of Mary
Is there a component that I can add to this model that will capture this context ("of Mary"), or is there a way I can re-represent the privilege statement using my pre-existing auth model components? What is the best practice?
Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag abac and xacml).
ABAC is an authorization model that:
Let's take your example:
The authorization requirement would therefore be:
In ABAC, you have to identify your attributes. You do this in your question which is great though your analysis is role-biased. Let's take it again. The attributes I see are:
With these attributes, I can rewrite your requirement in a broken-down way:
You can then use ALFA (alfa) to implement the policy in ALFA and then XACML.
The XACML outcome (in XML) is: