Modelling and evaluating complex user entitlements in directory services using JSON and REST
2019-11-06, 11:35–12:20, Main Conference Room
.ical
Internet-scale consumer services and large corporations have a similar problem: once a user is authenticated, what should they have access to? Major security incidents and data breaches have shown that authorisation problems can have a catastrophic impact on organisations. Group memberships no longer provide the granularity or data model required by these complex scenarios, so many organisations are forced to model entitlements in non-LDAP services. This presentation will show that with the introduction of JSON attributes and RESTful interfaces, LDAP directories can provide the capabilities required for complex entitlement modelling and evaluation.
LDAP Directory services are regularly used for authentication and user profile data. Traditionally, complex user entitlements, beyond that which can be modelled using group memberships, has been stored in relational databases and more recently, NoSQL data stores.
This creates a disjointed architecture, where data that must be accessed at runtime for authorisation decisions is split across different services, leading to data management issues and performance problems. This is true in both consumer and corporate environments.
This presentation will detail a method for centralising as much entitlement data as possible in an LDAP directory service, modelling complex entitlements using JSON attributes. Evaluation of entitlements via REST APIs will also be discussed, in the context of OAuth-based authorisation scenarios.
Both employee and consumer use cases will be discussed.