Claims-based Authorization Versus Role-based Authorization

Previous page
Table of content
Next page

How does this claims-based approach to authorization compare to role-based authorization, which is a fairly common approach to controlling what users can do with software applications? A definition of role-based authorization would be helpful in answering that question.

"Role-based authorization is a mechanism that uses roles to assign users suitable rights for performing system tasks and permissions for accessing resources" (Tulloch 2003, 281). A role is a "symbolic category that collects together users who share the same levels of security privileges" (Tulloch 2003, 281).

Role-based authorization requires first identifying the user, then ascertaining the roles to which the user is assigned, and finally comparing those roles to the roles that are authorized to access a resource. Thus, in the role-based authorization system provided by Microsoft .NET role-based security, for example, the most important element is the principal object, which incorporates a user's identity and any roles to which the user belongs (.NET Framework Class Library 2006; Freeman and Jones 2003, 249).

By contrast, if one recalls what the bartender did in deciding whether to serve a beer to the man requesting one in the previous scenario, it is noteworthy that identifying the man was not important. Certainly, the proffered driver's license could also be used to establish the man's identity, because driver's licenses do typically make claims about the bearer's identity, but those claims were not important to the bartender; the bartender was only interested in the license's claim about the date of birth of the bearer. If the man proceeded to rob the bartender, then no doubt identifying him would become important.

In general, claims-based authorization subsumes role-based authorization. To be precise, roles membership is determined based on identity, identity is just one sort of right to the value of a claim, the right of using the value of the claim to identify oneself. A birth date is not a value of a claim that one has the right to use to identify oneself, because many people share the same birth date, whereas a photographic portrait is a value of a claim that one has the right to use identify oneself. Also, a role is just one type of claim.



Previous page
Table of content
Next page
Presenting Microsoft Communication Foundation. Hands-on.
Microsoft Windows Communication Foundation: Hands-on
ISBN: 0672328771
EAN: 2147483647
Year: 2006
Pages: 132
Authors: Craig McMurtry, Marc Mercuri, Nigel Watling
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Cisco Voice Gateways and Gatekeepers
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Sap Bw: a Step By Step Guide for Bw 2.0
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy