In the conference call of 2010-01-27, there was discussion regarding how a protected resource can be protected by multiple access control systems. To assist in further discussion, this page briefly addresses this topic.
1. Host-managed access control
UMA allows users to exercise discretionary access control over user-controlled resources. This does not negate the host enforcing its own mandatory (or discretionary) access controls through other mechanisms.
The host can always return an HTTP 403 status code, and stipulate its own requirements in order for requesters to obtain authorization. A host can always follow its own mandatory access controls that can override users’ discretionary access controls.
It's also worth noting that an UMA authorization manager could be used to manage mandatory access controls (to support custodians), in addition to the user-selected UMA AM instance for their discretionary access controls.
2. Hooks for other access control systems and protocols
The current UMA protocol flow intentionally separates the act of denying access from the mechanism used to determine how to obtain authorization.
At a high level, the flow is:
- The requester attempts to access a protected resource.
- Host denies access with an HTTP 403 status code.
- Requester discovers and obtains resource descriptor (XRD) using LRDD.
- XRD contains referral resource to negotiate authorization with AM.
- Requester requests referral.
… and so on
Because authorization requirements and protocols are discoverable through the XRD, the host can defer to more than one access management system using disparate protocols.
3. Boolean expressions
If multiple access management systems are to be listed in the protected resource’s descriptor, then there needs to be a way to logically relate these systems.
AND is an easy case. Example: “The requester can secure access if it obtains authorization from A, B and C.” In order to secure access to the protected resource, the requester needs to obtain authorization from all of the access management systems listed in the resource descriptor.
OR case is also an easy case. Example: “The requester can secure access if it obtains authorization from A, B or C.” The requester can be selective of which access management system it wants to negotiate with and obtain authorization.
The mixed-logic case is harder. Example: “The requester can secure access if it obtains authorization from A and B, or C. This needs a structured way to construct logical expressions. Without a method of parenthesizing expressions, operator precedence becomes an issue.
