Resource-Centric Authorization Service

The action identifiers in the RCAS (hence, the registered UMA scope identifiers) mustn’t start with “!” and end with “*”, as these characters have special meanings in the RCAS policies evaluation.

There is one more operational action in addition to the ones already listed: resource:action:empty. RCAS can assign the policies only to a tuple resource-action. However, UMA 2.0 also knows the use case when the policies are assigned to a resource only (empty scopes). RCAS translates such a request coming from UMA 2.0 into a request for the given resource and resource:action:empty action. This identifier also enables configuring policies for the “empty scopes” request.

The RCAS evaluation process is based on the request context that contains the information about the requestor and is evaluated against the relevant policies. These policies are identified by the tuple resource-action. There are independently-defined policies for each tuple. The assignment of these policies to the tuples is represented by the policy assignments configuration object. The configuration of the policies themselves consists of three configuration objects: rule configuration, rule template, and evaluation model.

The evaluation model represents a type of the policy being applied (access control list, XACML, RBA, …). It is the combination of the definition of the evaluation process and the definition of the policy language on which it operates. The policy language definition is further represented by rule templates and rule configurations. For example: The evaluation model to compare any attribute persisted for a user account to the attributes bound to an active user session of the requestor. The comparison method can be selected from the following operation set: equality, greater/less than, match to regular expression.

The rule template is a configuration that specifies the evaluation process of an evaluation model. The evaluation process is controlled by certain parameters. However, not all parameters should be set up by the resource owner during the registration or update. Some of them should be preset to reflect the actual deployment specifics. This might be achieved via the rule templates. Typically, the management of rule templates is restricted to the administrators only. The administrators create the rule templates and set up the rights of the requestors to use them (resource:management:action:read). There might be multiple rule templates for a single evaluation model. For example: A deployment stores e-mail and company branch identifier attributes for each user account. Rule templates for the evaluation model from the previous example can be used to make these attributes accessible. The parameters of the rule template are set to “attribute: e-mail” and “comparison operation: equality”, “attribute: company branch identifier” and “comparison operation: equality”. The rule templates can then be read as: “Is the requestor’s e-mail equal to e-mail configured via rule configuration?”, "`Is the requestor’s branch equal to the branch configured via rule configuration?`"

The rule configuration is an object that finalizes the configuration so that it can be directly used in the authorization evaluation process. Contrary to the previous policy configuration object types, rule configuration is defined by the resource owner directly when passing the resource policies during the registration/update process. The rule configuration is always relevant to a single rule template that determines its structure and semantics. For example: If a resource owner wants to grant a “download” right to her friend with the “__bob@acme.com” e-mail address, she includes the rule configuration with the identifier of the first rule template from the previous example and sets up the correct e-mail address. The rule configuration then reads: “Is the requestor’s e-mail equal to bob@acme.com?“

The policy assignments configuration represents the assignments of the rule configurations to respective actions for the given resource. For each defined action, there is a structure that defines the policies. The structure is formed as a set of sets and represents a disjunctive normal form (DNF); that is, it is a set of alternatively applicable policy sets. If any of the inner sets is true, the whole policy is true. The inner set is true if all its elements are true. The inner set elements are the rule configurations.

As typical for sets, no element is duplicated. For the sets in the policy assignments DNF, a stricter rule is applied: if there is a conjunction that gives permission to a set of requestors that is a subset of requestors that are given permission by another conjunction from the same DNF, the former conjunction is removed.

The policy management API consists of two RESTful API endpoints: policy management and rule template management. These endpoints comply with the OData specification. Their description can be found at {endpoint_address}/$metadata.

The respective endpoint addresses are:

The API enables the resource servers to include the policy management calls directly into their user interface. This design speeds up the interaction between the otherwise necessary interaction between the resource owner and the authorization server. For example, instead of clicking a “protect” button, which registers a new resource and subsequently redirects the resource owner to the policy management user interface provided by the authorization server where the resource owner sets up the policies, the resource server can directly provide the “publish” button, which registers the resource and subsequently sets up the policies to publish the resource (all with one click by the resource owner). This kind of management is enabled when the request is accompanied by the PAT token witnessing the presence of the resource server. Generally, requests accompanied by the PAT token enable management of the resources that belong to the respective resource server.

The resource owner can accompany the request with the PAT issued to the internal resource server as_res which enables management of all the resource owner’s resources. The deployment should provide a custom implementation of a user interface on top of the as_res resource server to which the resource owner is redirected after the new resource registration.

Both rule templates and rule configurations contain a string attribute that contains a JSON structure with parameters relevant to the corresponding evaluation model. This attribute is called “config” and is opaque from the API’s point of view. The rule configuration description endpoint provides the resource owner (or dedicated client application implementing the user interface on top of the API) with the description of the syntax of the “config” attribute. The provided information is requestor-dependent, as the presented descriptions represent the protected resources (rule templates). This means that two system users with different capabilities may see different descriptions when requesting the management of the same specific rule configuration. The endpoint of rule template descriptions prints the structure and possible content of the respective configuration attributes of all rule templates. The endpoint of rule configuration descriptions prints the structure and possible content of respective configuration attributes of all rule configurations (based on the existing rule templates).

We use the JavaScript Object Notation (JSON) schema (http://json-schema.org/ ) to represent the descriptions. This choice enables determining the configuration object structure as well as including possible predefined values or referencing an external resource for retrieving such values (which may again be subject to the authorization).

Using the JSON schema enables the authorization server clients to easily implement a user interface on top of the RESTful API. There are a vast number of open-source libraries providing conversion between a JSON schema and user interface; for example, an automatically generated HTML form.

The update evaluation model represents policies applied during processing of the resource:management:action:execute and resource:management:action:update. Each alternative conjunction in the policies set up for these actions must contain exactly one update rule configuration (if this is not requested by the resource owner, then it is automatically generated).

The purpose of the update evaluation model is to filter out the actions that are not allowed to be used by the registration/update requestor. The rule configuration of this evaluation model contains the attribute “allowed” that is of type set of strings. Each string represents a single rule applicable on the action identifier. The algorithm is as follows:

For each string out of the “allowed” set:

Else the action matches if the string string comparison yields true.

To prevent the requestors that can manage the policies from rewriting the rights of other requestors, the update rule configuration contains the “conjEditor” and “conjEditorWt” attributes. The “conjEditor” attribute contains a whole disjunctive normal form of policies that determine who can manage the conjunction of which the update rule configuration is part. To understand the “conjEditorWt” attribute, we must describe the process of updating the policies. Any policy requested during update to be included in the policies currently stored must be approved by an existing update rule configuration (the “allowed” attribute). To pass the state of manageability from parent policy to its children registration/update actions, if the “conjEditorWt” is true, the value of “conjEditor” attribute of the original update rule configuration is added to the “conjEditor” of the new update rule configuration. This operation specifies that any requestor that is able to manage the original update rule configuration can also manage the new one.

The rule template of the update rule evaluation model must be configured with appropriate policies to be employable by the requestors. The rule template as such does not contain any structure in its “config” attribute.

The enforce evaluation model represents the establisher of the resource ownership. When contained in a conjunction that is applicable on a requested policies and a request context, the resulting policies are enriched with a newly generated policies according to the enforce rule configuration. There can be multiple enforce rule configurations in a single conjunction to enforce multiple initial policies (for example, multiple resource owners).

The rule configuration contains following attributes:

The rule template of the enforce rule evaluation model must be configured with appropriate policies to be employable by the requestors. The rule template as such does not contain any structure in its “config” attribute.

The attribute-based evaluation model represents an extended version of the access control list policy type. Using this model, the resource owner can set up a simple policies based, for example, on a list of allowed e-mails, an allowed organizational unit, or other items.

The rule template contains the following attributes:

The rule configuration has a single attribute “values” which is a set of all possible values compared to the values from the request context.

Example: The administrator sets up the rule template as follows: evaluableClass=AttributeContext, attributeId=mail, evaluationMethodId=o This resource owner can subsequently employ this rule template to define a rule configuration that contains a set of all allowed e-mails whose owners will be granted a permission.

The SSO service evaluation model is intended for delegation of the evaluation to SSO service where any access control system (RBAC or ABAC) can be applied based on Policy Decision Point (PDP) reference in Policy Enforcement Point (PEP).

The rule configuration contains following attributes:

The rule template as such does not contain any structure in its “config” attribute.

Example 1: Resource owner can define the rule configuration based on SSO service rule template that delegates evaluation to RBAC. The resource owner registers their RCAS resource in the standard way, as described above, and creates a policy assignments (authorization policies) to the registered resource in form of DNF and a desired scope. The pepId=<any_PEP_with_empty_authority> SSO service evaluation rule configuration is part of the DNF. For successful evaluation of the rule, it is supposed to create RBAC resource with a path that corresponds with the registered RCAS resource (resource_server:resource_id) and assign the resource to respective RBAC authorization rule, policy and role. In the final XACML request, the desired scope is placed to the XACML Action element, but it is not needed to configure and assign a corresponding RBAC action also to authorization rule. The available scopes are filtered at the side of RCAS according the policy assignments of the evaluated resource.

Example 2: The resource owner can use the pepId=<any_PEP_with_empty_authority>, resourceId=<any_resource_container_name> SSO service evaluation rule to define a resource container. The resource container is pretty standard RBAC resource with a custom resource path string that is used to match several registered resources. It means that several registered RCAS resources can refer to the one resource container assigned within RBAC system. For successful evaluation, it is supposed to create RBAC resource with a path that corresponds with the resourceId and assign the RBAC resource to respective RBAC authorization rule, policy and role.