[security-dev] Entitlement versus Enforcement Model

Anil Saldhana Anil.Saldhana at redhat.com
Wed Nov 7 10:53:12 EST 2012

Hi All,
   this is an issue I see more at a client (in the classic client/server 
paradigm) that the computing industry is moving toward.

With the increasing push towards mobility, cloud and REST 
architectures,  I think access control decisions may have to be made 
where a decision is needed.  So instead of making 100 authorization 
calls to the server, we need a model where one call is made to the 
server (given user, context etc) and we get back a set of entitlements 
(or permissions) that need to be applied at the client side.

Examples include a mobile client (such as banking) that needs to figure 
out what aspects of the mobile screen the user is entitled to see and 
what operations he is capable of performing.

The industry has put too much emphasis on the enforcement model 
(meaning, make 100 authorization calls to the glorified server). There 
has been almost no models for the entitlement approach.

I have prototyped something here: 

The entitlements should be sent in a JSON response.

Also, trying to get this standardized in the industry via the OASIS 
Cloud Authorization TC. 

I have a hunch that projects such as Aerogear, Drools, Errai and 
Infinispan may need this model.



More information about the security-dev mailing list