Information Technology Reference
In-Depth Information
Tailoring Coarse-Grained Access Control
As we have seen, CAS can retrieve user attributes from the IAM database
right after the very first authentication in an SSO session and store them in
the Ticket Registry along with the Ticket-Granting Ticket. This provides a
performance optimisation because it then doesn't have to go back to the
IAM database to retrieve them every time a new application is accessed
during that SSO session. The Ticket Registry is always accessed for ticket
validation in any case, so an extra database access thereby avoided.
You may find though, that a generic set of user attributes is not good enough
to enforce application-specific access control. Even if IAM restricts itself to
coarse-grained access control, we may implement it through a mapping from
the user to an application role such as “Application X User”. We may also
need to pass other attributes that are specific to each application, such as
local user IDs on associated systems that that particular application may
have to access.
At the cost of a slight performance penalty, we can extend CAS's default
functionality to make an extra database retrieval once ticket validation is
over, and add an application-specific set of attributes to the generic ones
that are stored with the TGT.
Fig 32: Coarse-grained access control
