[security-dev] Entitlements Concept

Anil Saldhana Anil.Saldhana at redhat.com
Fri Jan 31 11:07:08 EST 2014

On 01/31/2014 10:05 AM, Pedro Igor Silva wrote:
> In some way we support that, one just need to use the Permission API to obtain the permissions and return them back using JSON, for example.
> Maybe once we start working with the REST module we can provide that OOTB.
> But how entitlements relates with XACML ? Is it a enabler ?
XACML is still and enforcement model. You get answers (Y/N).
Rather than -  here is the Context (user, role, group, time, IP)
and now give me the relevant permissions.

> ----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Friday, January 31, 2014 1:45:33 PM
> Subject: Re: [security-dev] Entitlements Concept
> Another example would be something like Drools Guvnor where the display
> of assets needs to be regulated. So instead of checking on individual asset
> check, one call is made for the entire permission collection and the UI
> is rendered faster.
> On 01/31/2014 09:43 AM, Anil Saldhana wrote:
>> The idea is if rather than make 100 enforcement (Access Checks), you
>> make one call and download
>> the entitlements and then do local authorization checks.
>> As an example, there is a mobile phone that has a rich native app. It
>> connects to a server and downloads
>> the entitlements on the fly. That way it can make local decisions as to
>> what the permissions are, rather than
>> make individual server access checks.  Useful in environments such as
>> financial apps.
>> On 01/31/2014 09:40 AM, Anil Saldhana wrote:
>>> Hi All,
>>>        any objections to getting the Entitlements Manager concept into
>>> PicketLink Authorization?  That way we cover all based with both Fine
>>> Grained Authorization (Permissions API/Implementation) as well as
>>> download of entitlements.
>>> My previous prototype:
>>> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager
>>> (there are bugs in the test case which I will fix)
>>> While the FGA is what I call the Enforcement Model, the
>>> EntitlementsManager concept is what I call the Entitlement Model.
>>> I am currently writing a specification at OASIS for this:
>>> https://www.oasis-open.org/committees/document.php?document_id=52098&wg_abbrev=cloudauthz
>>> Regards,
>>> Anil

More information about the security-dev mailing list