Information Technology Reference
In-Depth Information
• Enabling the customer to choose the identity provider that is more appropriate
for a specific collaboration instead of being locked into what is incorporated in
their SOA platform by a middleware vendor or starting expensive product inte-
gration projects that give them identity provision and federation, at a very high
cost, for the specific application at hand.
The second capability is an Authorization Service (SOI-AuthZ-PDP) which supports
distributed access control. It is a policy-based, rule-based access control service
which implements XACML, the eXtended Access Control Markup Language (an
OASIS standard aimed at defining an access control language to express rich access
control rules). It allows the distribution of delegated administrative authority across
the value chain. It allows managing the distribution of administrative authority
among multiple partners (e.g. providers of applications, of application hosting, of
identity services, etc.) and the management of constraints about the scope within
which each administrative authority can operate.
The delegated access control mechanism explored in this experiment allows
finely granular control on the delegation of administrative authority. In particular,
management and access policy can be signed on behalf of different administrators
and evaluated at run time against delegation constraints that discount parts of the
polices and resolve conflicts in accordance with the identity and role of each admin-
istrator. This allows for example the VHE operator to profile or constrain the poli-
cies that an Application Service Provider (ASP) administrator can define, and their
period of validity. The ASP administrator can then define whatever access policies
fit their application best, including policies that allow a collaboration manager to
fine tune the certain aspects of the access for a limited period of time. For example,
the VHE operator may have constrained that the ASP cannot deny access to infor-
mation about the services it provides to another legitimate customer of the VHE.
The VHE operation may have also constrained that an ASP can only define poli-
cies about services offered in those collaborations they can join according to their
subscription to the VHE. Then the ASP will have full control of access to the appli-
cations they offer in collaborations that they are allowed to join but will not be
able to hide information about the service they offer within the VHE. In addition
to access policies about the services they offer in those collaborations, they may
also define a constraint that allows the collaboration manager to fine tune access
to resources during a promotion period. Therefore the collaboration manager could
override a policy denying game service access to “bronze” members to a “limited-
edition” game but only during the promotion period.
This capability offers an essential service managing distribution of the admin-
istration tasks across the value chain while assuring accountability and non-repudi-
ation of administrative actions during the operation of a distributed infrastructure.
Thirdly, the secure messaging gateway (SOI-SMG) is a network- or perimeter-
hosted policy enforcement point that can be itself configured through an extensible
policy language. It brings together selected functionalities from XML firewalls,
application gateways, content inspection and transformation engines, light-weight
enterprise service / event bus, and network resource management. It can securely
