A UNIFORM CLAIMS-BASED ACCESS CONTROL FOR THE ENTERPRISE

摘要

When standing up a high-assurance, internet-scale, and web-service based enterprise system for information sharing, access control is a primary consideration. A generalized standards-based solution is presented. Central to this system is a process for access control that provides the fine-grained authorities for use by enterprise services. In all cases, the access control, rights and privileges are done by the web service itself, though its own Access Control Lists (ACLs), and are preceded by a bi-latera! authentication in both normal and federated service requests. The enterprise system relies on a unified naming and credentialing system for identity management which is not dealt with in this paper due to size constraints. This document provides the process by which access control and authorities' claims are developed at the enterprise level. The claims are computed using enterprise attributes, use cases, policy statements and other data together with an Attribute Based Access Control (ABAC) / Policy Based Access Control (PB AC) engine described in this paper. These claims are then placed in a Security Assertion Markup Language (SAML) token to be used by the web service. The SAML is signed for integrity and encrypted for confidentiality. This is the first enterprise level scale-up that has provided a consistent enterprise solution to access control that has not used a centralized Access Control Service and relies solely on the service for access control and authority determination.