[WG-UMA] Scenario comments please: Delegating Access Management toCustodians

Eve Maler eve at xmlgrrl.com
Tue Jan 12 14:54:19 EST 2010


(Let's definitely discuss this one on Thursday's call.)

Great scenario and great comments. Here are some additional thoughts:

- In this  scenario we're seeing a distinction between the "resource owner" and what would be called the "policy administrator" if this were an enterprise use case. So our term "authorizing user" doesn't quite do the job here. If we accept this scenario, we should think about how to distinguish these two roles.

- Today our protocol has a classic three-legged (authn + web delegation) instance of OAuth where the (same) user introduces a host and an AM to work together on the person's behalf. Below, at least in the main architecture flow, I think it's Alice logged in at the host vs. her dad Bob logged in at the AM. (This relates to George's points #1 and #2.) Am I right in saying it's  not strictly kosher in today's OAuth to do this, ever since the mitigation of the session fixation problem locked this down tight?

- Delegating calendar access to an admin might not need anything as fancy as this; are there reasons it couldn't use "vanilla UMA" to let the boss grant calendar read/write access to an admin as a "requesting user" (#5 sense) working through a "requesting service" (#2 sense) (or whatever we're going to call these things -- see lexicon thread)? If this is really true, how much -- if any -- of the parental custodian scenario could be handled the same way?

(At one point we had discussed adding a "virtual assistant" scenario, e.g. permissioning offsite bookkeepers to get into your financial apps -- anyone have interest in submitting one?)

	Eve

On 11 Jan 2010, at 9:38 AM, George Fletcher wrote:

> A big +1 from me:)
> 
> Questions: 
> 1. Who's responsibility is it to maintain the relationship between the resource "owner" (meaning individual not service) and the resource "authorizer"? 
> 2. At a more detailed level, how does Bob "prove" himself to the social network as Alice's parent? Is that important?
> 3. Does the host need to understand the concept of Bob's identity in the interaction with the AM, or can that be abstracted through the protocol such that the host just has an AM and UID associated with the resource?
> 
> Whether the application is parental supervision/control or an executive delegating calendar access to their assistant this makes a lot of sense to me. I do think there are some interesting UI challenges here to make this understandable and usable for "normal" consumers.
> 
> Thanks,
> George
> 
> On 1/9/10 4:12 PM, Eve Maler wrote:
>> 
>> http://kantarainitiative.org/confluence/display/uma/custodian_scenario
>> 
>> Scenario: Delegating Access Management to Custodians (Pending)
>> Submitted by: Maciej Machulak
>> 
>> Social networks and other social applications are becoming increasingly important for a large part of the society. Young and mature Internet users participate in social networks and exchange information about their personal or professional activities. They create connections with friends or other professionals. They share their personal information and digital content using various social applications.
>> 
>> Young people, in particular, have little knowledge about technical complexities of social networks and other social applications. They have little understanding about the value of information that they submit and share among their peers and other users of those applications. Personal information such as age, sex, telephone numbers or hobbies is often not perceived as valuable. Similarly, other digital content such as pictures, short video clips or documents is viewed as any other information which can be freely available to other users of social networks.
>> 
>> In reality, information submitted by users of social networks may be of great value to third parties. Personal information is often used for advertising purposes or can be abused by malicious users for other purposes. Digital content, on the other hand, has influence on how a particular individual is perceived by others, be it employers or peers. As such, restricting access to information is a necessity and is currently under research.
>> 
>> Younger users of social networking applications may not be aware of the above mentioned security and privacy issues. As such, they may expose too much information to their friends, which is not desirable. To prevent information leakage, parents often require having insight into what information is submitted and shared. They can then restrict publishing of sensitive information. In order to be able to control information, parents need to be given usernames and passwords. This, however, is often perceived to be too intrusive for younger users.
>> 
>> In the next section we discuss how User-Managed Access can be used to support parents with restricting information publishing by their children. We present how younger users of social networking applications can benefit from our proposal. With our scenario we show how our approach allows a user to delegate access control related tasks to other entities that may have a better understanding of security requirements for their resources.
>> 
>> Use Case: Delegating Access Management to Content on Social Applications (Pending)
>> Submitted by: Maciej Machulak
>> 
>> Alice, a 14 year old girl, wants to have an account on a popular social networking application. She wants to create a network of her friends with whom she wants to share pictures and discuss her hobbies. She wants to keep in touch with them and does not want to be left behind with new technologies that have been used by her peers for some time now.
>> 
>> When Alice sets up the account at a popular social networking application she needs to provide a variety of information including. This includes providing information about her age. The application detects that Alice is very young. It then informs her that she will need parental control over all the information that she submits and wishes to share with other users of the application. What the application means is that Alice will not be able to control information dissemination by herself but will rely on an adult to make access control decision. Alice then asks her father Bob for some help with setting up her account and providing the required parental control functionality.
>> 
>> Bob is happy that his daughter will be able to communicate with her friends but he is concerned with what information will be released and how this information might be used by legitimate or malicious users. He knows that the social networking application has been certified to support parental control and allows third party access control systems to be used for that purpose.
>> 
>> Bob is already using a specialized Authorization Manager for his own purposes. He uses such component to define access control policies for his various online resources like documents and pictures that he shares with his friends and colleagues at work. Bob decides to use this Authorization Manager for parental control over Alice's information. He plugs in this AM component to the social networking application and is now able to easily control how various information submitted by Alice is shared among her friends.
>> 
>> When the account is set up then Alice is able to use it just as any other user of the social networking application. She writes comments about her day, posts links to interesting movies. Additionally, she uploads some of her pictures and short video clips with her friends. She knows that her father is very concerned with privacy and that only comments and links are automatically shared with her friends. 
>> However, pictures and videos are only shared with a predefined set of her friends which was approved by her father. To extend the set and share such multimedia content with other users, Alice must ask for her father's consent.
>> 
>> Knowing about security constraints imposed by her father, Alice decides to upload a picture from her birthday party. She wants to share it with all the friends that attended the party. When the picture is uploaded she clicks a share button to make a list of friends who should be able to access this picture. Up to this point, Alice performs sharing related task just as any other user. However, once the 'Share' button is clicked then Alice is presented with information that her picture has been shared with Tom and Patrick only as those two out of her list are considered trustworthy by her father. Sharing the picture with the rest of the group is subject to Alice's father approval.
>> 
>> Under the hood, the social networking application sends an access control policy request to the Authorization Manager as configured by Bob. The picture is not shared unless a reply is sent back confirming that a policy, as defined in form of list by Alice, is proper. This policy request waits within a Authorization Manager for Bob's consideration. As Bob checks his Authorization Manager on a daily basis, he sees that a new request for an access control policy has been received. He checks the resource that is shared (i.e. the picture of her daughter at her birthday party) and what are the possible consumers of this resource (i.e. identities of her daughter's friends). The list seems fine for Bob apart from a single identity of her daughter's older friend who misbehaved at the party. Therefore, Bob removes his identity from the list and approves a new access control policy. When this happens, a request is sent back to the social networking application that a policy for the picture has changed.
>> 
>> When Alice logs in to her account at a social networking application she sees that her father approved her sharing list. What that means is that Alice's proposed access control policy has been validated by her father and has been applied to her picture. However, she notices that some identities have been removed from the list. She checks which of her friends have been removed and decides not to negotiate with her father. After all, she was mad with her friend not acting properly at this very important event of hers. She hopes that her friends will get notifications about a new picture being shared and she is very excited about the comments.
>> 
>> Over time, Alice learns that allowing her father to have impact on security of the resources that she shares with her friends is not a bad thing. She feels safe and knows that everything she submits to her social networking application is secure. Over time, Alice also learns more about security and sees what information is prevented from being shared with her friends. In the future she hopes to make better security decisions by herself. At some point she'll be fully responsible for controlling access to her resources.
>> 
>> Her father Bob is also happy as he knows that his daughter can communicate with her friends in a safe and secure way. He checks his Authorization Manager on a daily basis and composes access control policies if any requests are sent by his daughter's social networking application. Moreover, he audits all access requests and sees how Alice's friends access her pictures and video clips. He hasn't noticed any abuses and is confident in whatever her daughter does. After all, he's fully responsible for her privacy and security and he puts much effort into ensuring that his daughter stays safe and still enjoys the benefits of social networking on the Web.
>> 
>> Architecture
>> The architecture for a User-Managed Access for the provided scenario is depicted below.
>> 
>> <Mail Attachment.png>
>> 
>> A user delegates access control functionality for his resources to a component that is managed by a different entity. Therefore, the user is only concerned with creating and submitting resources online. Another entity (custodian) is then responsible for defining access control rules for those resources.
>> 
>> Discussion
>> The following scenario shows how a user can delegate access control functionality to a different user. In this case, an owner of a resource decides that a different entity (a custodian) will be responsible for security of their resources. A user is only concerned with producing and submitting content on the Web and a custodian is responsible for ensuring that such content is protected. It is up to the custodian what access control rules will be applied to resources. An Authorization Manager in such setting can be viewed as an access control module externalized from a Web application that is simply under control of a different entity.
>> 
>> View of the actors presented in this scenario with regards to the generic architecture of a User-Managed Access is depicted below:
>> 
>> <Mail Attachment.png>
>> 
>> Presented diagram shows a Authorization Manager (1), a User (2), a Host (3), a Requester (4) and a Custodian (5).
>> 
>> A custodian can be fully responsible for defining access control policies and may be fully separated from an owner of resources. In such case no direct interactions are needed between an owner of a resource and a custodian who defines access control policy for this resource. An owner may not have any knowledge about the security that is applied to a resource. As such, an owner can focus on main tasks related to producing a resource (e.g. writing a document) and can leave applying security to those who have greater knowledge about security requirements that need to be considered.
>> 
>> Another approach, which has been discussed in the scenario, is where a user can make an access control policy that is subject to approval by a custodian. In such setting, two different approaches can be considered. A custodian can either only restrict the policy further (i.e. the resulting access control policy can be composed of a subset of rules as proposed by an owner of a resource). In the second approach, a custodian can define access control policies at his own discretion. This can mean that a custodian can restrict policies proposed by an owner of a resource by deleting certain rules, expand those policies by introducing new rules or change those policies completely. In any case, how ownership of a resource is preserved needs to be considered.
>> 
>> 
>> Eve Maler
>> eve at xmlgrrl.com
>> http://www.xmlgrrl.com/blog
>> 
> 
> -- 
> Chief Architect                   AIM:  gffletch
> Identity Services                 Work: george.fletcher at corp.aol.com
> Aol Inc.                          Home: gffletch at aol.com
> Mobile: +1-703-462-3494           
> Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com


Eve Maler
eve at xmlgrrl.com
http://www.xmlgrrl.com/blog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100112/9d9c4d18/attachment-0001.html 


More information about the WG-UMA mailing list