Skip to content

Home

Jump to bottom
drgorb edited this page Jun 19, 2012 · 3 revisions

Welcome to the authentigate wiki!

The goal is to create an online service which allows for all three "A"s in AAA. Namely Authentication, Authorization and Accounting.

The core concepts are Name space, User, Group, Application and Content. There are no roles because a role is just a special group.

The approach is different from what I found so far in that authentigate allows to register the content IDs of the objects where permissions are given.

Introduction

If we take as example a simple Address Book application. Because this is an online app, there can be many tenants and users. The permissions are set in the following fashion:

  • An address book belongs to a user. She can always administer it
  • A user can see addresses from one (their own) or more tenants
  • Addresses can be assigned to categories. Permissions are set such that certain groups can view or edit certain categories

In order to setup the system a few steps must occur

  • The address book application must be registered with authentigate
    • The permissions for the application must be listed. In general CRUD but there could be many more
    • the order of the permissions. i.e. someone who can Update can also Read because Update > Read. If Update == Read then someone could be allowed to update but not read.
    • The permission rules for the application must be set
  • Upon creation, the application registers the objects it wants to be managed by authentigate:
    • The address books
    • The categories in the address books

Registering an object with authentigate means sending a message with the user's ID, the object's name space and the object's ID. In order for authentigate to work properly, all IDs must be unique in the application. You can not reuse an ID from the address book to an entry in the address book or a category.

Permission assignment is done in two ways:

  • by rules
  • explicitly by an admin

In our example we have a few rules, they are all arbitrary and could be different:

  • a user can create addresses for her own tenant only. this limits the name spaces she can use
  • a user can see all the addresses she created, even if the address is moved to a category where she has no permission
  • a user inherits the permissions set for the groups she belongs to
  • a user inherits the weakest permission set among all the groups she belongs to

Now when a user opens the Address Book application, she will see all address books belonging to a Tenant (name space) she is permitted to at least see (Update is bigger than Read) and belonging to a group she is permitted to see plus any address she has created herself.

It is the responsibility of the application to show the information in a pertinent way. The application can gather all the information from authentigate that the user herself is permitted to get. This includes:

  • a list (or tree) of groups the user belongs to
  • a list of name spaces the user has permission for. There are no particular permissions for name spaces, just Yes or No.
  • information about permission level for a particular ID for the user
  • information about which group gave the user what permission for a particular ID (can be a list for each permission)
Clone this wiki locally