Hi All, any objections to getting the Entitlements Manager concept into PicketLink Authorization? That way we cover all based with both Fine Grained Authorization (Permissions API/Implementation) as well as download of entitlements. My previous prototype: https://docs.jboss.org/author/display/SECURITY/EntitlementsManager (there are bugs in the test case which I will fix) While the FGA is what I call the Enforcement Model, the EntitlementsManager concept is what I call the Entitlement Model. I am currently writing a specification at OASIS for this: https://www.oasis-open.org/committees/document.php?document_id=52098&... Regards, Anil

The idea is if rather than make 100 enforcement (Access Checks), you make one call and download the entitlements and then do local authorization checks. As an example, there is a mobile phone that has a rich native app. It connects to a server and downloads the entitlements on the fly. That way it can make local decisions as to what the permissions are, rather than make individual server access checks. Useful in environments such as financial apps. On 01/31/2014 09:40 AM, Anil Saldhana wrote: > Hi All, > any objections to getting the Entitlements Manager concept into > PicketLink Authorization? That way we cover all based with both Fine > Grained Authorization (Permissions API/Implementation) as well as > download of entitlements. > My previous prototype: > https://docs.jboss.org/author/display/SECURITY/EntitlementsManager > (there are bugs in the test case which I will fix) > > While the FGA is what I call the Enforcement Model, the > EntitlementsManager concept is what I call the Entitlement Model. > > I am currently writing a specification at OASIS for this: > https://www.oasis-open.org/committees/document.php?document_id=52098&... > > Regards, > Anil >

In some way we support that, one just need to use the Permission API to obtain the permissions and return them back using JSON, for example.

Maybe once we start working with the REST module we can provide that OOTB.

But how entitlements relates with XACML ? Is it a enabler ? ----- Original Message ----- From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com&gt; To: security-dev(a)lists.jboss.org Sent: Friday, January 31, 2014 1:45:33 PM Subject: Re: [security-dev] Entitlements Concept Another example would be something like Drools Guvnor where the display of assets needs to be regulated. So instead of checking on individual asset check, one call is made for the entire permission collection and the UI is rendered faster. On 01/31/2014 09:43 AM, Anil Saldhana wrote: > The idea is if rather than make 100 enforcement (Access Checks), you > make one call and download > the entitlements and then do local authorization checks. > > As an example, there is a mobile phone that has a rich native app. It > connects to a server and downloads > the entitlements on the fly. That way it can make local decisions as to > what the permissions are, rather than > make individual server access checks. Useful in environments such as > financial apps. > > On 01/31/2014 09:40 AM, Anil Saldhana wrote: >> Hi All, >> any objections to getting the Entitlements Manager concept into >> PicketLink Authorization? That way we cover all based with both Fine >> Grained Authorization (Permissions API/Implementation) as well as >> download of entitlements. >> My previous prototype: >> https://docs.jboss.org/author/display/SECURITY/EntitlementsManager >> (there are bugs in the test case which I will fix) >> >> While the FGA is what I call the Enforcement Model, the >> EntitlementsManager concept is what I call the Entitlement Model. >> >> I am currently writing a specification at OASIS for this: >> https://www.oasis-open.org/committees/document.php?document_id=52098&... >> >> Regards, >> Anil >> >>

From a server perspective, you can perform additional checks in order to make sure the client is able to perform a specific operation or retrieve data.

From a mobile perspective, I think depends how the mobile app is storing sensitive data by using secure/encrypted storage. I think Aerogear is addressing this ...

The idea is if rather than make 100 enforcement (Access Checks), you make one call and download the entitlements and then do local authorization checks. As an example, there is a mobile phone that has a rich native app. It connects to a server and downloads the entitlements on the fly. That way it can make local decisions as to what the permissions are, rather than make individual server access checks. Useful in environments such as financial apps. On 01/31/2014 09:40 AM, Anil Saldhana wrote: > Hi All, > any objections to getting the Entitlements Manager concept into > PicketLink Authorization? That way we cover all based with both Fine > Grained Authorization (Permissions API/Implementation) as well as > download of entitlements. > My previous prototype: > https://docs.jboss.org/author/display/SECURITY/EntitlementsManager > (there are bugs in the test case which I will fix) > > While the FGA is what I call the Enforcement Model, the > EntitlementsManager concept is what I call the Entitlement Model. > > I am currently writing a specification at OASIS for this: > https://www.oasis-open.org/committees/document.php?document_id=52098&... > > Regards, > Anil _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev