Definitions

Definition 1

An identity attribute that informs reference monitors that some access rights on some resources may be legitimately granted to the identity after authentication as part of the authorization process.

Related Terms

Quotes

authorization A process by which users, having completed an *authentication stage, gain or are denied access to particular resources based on their entitlement.

Entitlement

Entitlement refers to the set of attributes that specify the access rights and privileges of an authenticated security principal. Lack of interoperable representation of this information poses a challenge as the information needs to be exchanged among different cloud based service providers. In the absence of interoperable format, expensive and customized syntactic translation components are needed. The semantic aspect still remains to be tackled.

While some applications like Salesforce have built-in control for entitlement and authorization control for multiple attributes, others require the help of OAuth or similar such technologies [3].

IdM requires management of uniquely identified entities, their attributes, credentials, and entitlements.

The web server continually asks Kathy’s web browser to prove she has been authenticated, which the browser does by providing the cookie information. (The cookie information could include her password, account number, security level, browsing habits, and/or personalization information.) As long as Kathy is authenticated, the web server software will keep track of each of her requests, log her events, and make changes that she requests that can take place in her security context. Security context is the authorization level she is assigned based on her permissions, entitlements, and access rights. Once Kathy ends the session, the cookie is usually erased from the web browser’s memory and the web server no longer keeps this connection open or collects session state information on this user.

Digital Identity

An interesting little fact that not many people are aware of is that a digital identity is made up of attributes, entitlements, and traits. Many of us just think of identity as a user ID that is mapped to an individual. The truth is that it is usually more complicated than that.

A user’s identity can be a collection of her attributes (department, role in company, shift time, clearance, and others), her entitlements (resources available to her, authoritative rights in the company, and so on), and her traits (biometric information, height, sex, and so forth).

So if a user requests access to a database that contains sensitive employee information, the IdM solution would need to pull together the necessary identity information and her supplied credentials before she is authorized access. If the user is a senior manager (attribute), with a Secret clearance (attribute), and has access to the database (entitlement)—she is granted the permissions Read and Write to certain records in the database Monday through Friday, 8 A.M. to 5 P.M. (attribute).

Another example is if a soldier requests to be assigned an M-16 firearm. She must be in the 34th division (attribute), have a Top Secret clearance (attribute), her supervisor must have approved this (entitlement), and her physical features (traits) must match the ID card she presents to the firearm depot clerk.

The directory (or meta-directory) of the IdM system has all of this identity information centralized, which is why it is so important.

Many people think that just logging in to a domain controller or a network access server is all that is involved in identity management. But if you peek under the covers, you can find an array of complex processes and technologies working together.

The CISSP exam is not currently getting into this level of detail (entitlement, attribute, traits) pertaining to IdM, but in the real world there are many facets to identification, authentication, authorization, and auditing that make it a complex beast.

Bibliography

See Also