Can UMA be used for fine-grained access controls?

By: Mark Riggins user 06 Jan 2017 at 8:28 a.m. CST

4 Responses
Mark Riggins gravatar
Apologies in advance if this is not the right forum for questions, please redirect me. Can UMA and GLUU be used for fine-grained access control? I would like my application to serve as a datastore for a wide range of people who are already organized in existing hierarchical organizations. Imagine a college with a math, music, art and other departments. Each department has one or more administrators, and members. Some people are authorized to only view data. Others have their own personal data. Administrators of the various departments control the membership of their department, and authorize readers, and writers. We might have roles to represent a sets of permissions: teacher, administrator, auditor, ... Can UMA be used to protect not just an end-point, but a path or scope within the service? Suppose Matt, the head of the math department adds a new teacher, Tommy. Would Matt be able to invite the teacher Tommy, or could the Matt receive a request "Tommy wants read access to the Math Department's schedule, rooms, and classes?" The path in this case some of the paths would be: * /college-A/departments/math/students * /college-A/departments/math/courses * /college-A/departments/math/classes * /college-A/departments/math/classes/algebra-1 If not -- is there a another available solution to model this, so we don't have to go write the 10,000'th custom implementation of groups, roles and users?
U1404
closed

Answers

By Michael Schwartz Account Admin 06 Jan 2017 at 9:07 a.m. CST

Copy
Michael Schwartz gravatar
As long as you can describe the resource as a `PATH` then UMA can manage access based on centralized policies, like which users, using which clients can access the resource. You can also use query parameters and wildcards to describe resources. If you may be interested to buy a support contract, you may want to setup a meeting to chat on http://gluu.org/booking

By Mark Riggins user 06 Jan 2017 at 9:28 a.m. CST

Copy
Mark Riggins gravatar
Would we also be able to model the relationships between users? In other words, could the Math department have a group of **instructors**, with the "instructor" role, giving them the ability to view class and course details, write grades. Also we might have "**registrars**" who assign students to classes, etc. Could we delegate authority to Matt (the head of the Math department) to accept new teachers? Can Gluu provide the relationship management we need? or would we need to design our own implementation of an authorization server? I'm still trying to find out if Glu is a good fit, but if it meets our needs we will be more than willing to purchase a support contract. If Gluu can do this its value is enormous

By Michael Schwartz Account Admin 06 Jan 2017 at 10:19 a.m. CST

Copy
Michael Schwartz gravatar
Can it be done, and should it be done are two different questions. Normally it's more efficient to locate fine grain authz policies in the app.

By Mark Riggins user 06 Jan 2017 at 10:59 a.m. CST

Copy
Mark Riggins gravatar
Interesting answer. All access control decisions will be enforced within the application. But please understand by "application" I actually mean a coordinated set of applications under a central domain name. So "registration" would be a different application than "course management", or "scheduling". So it would work well for us if our authorization service could grant a token giving the user/session permission to access the appropriate applications and paths within them. Based on the token, our apps could make the appropriate access control decisions.

Post an answer