Authorization determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources.
The I2A2 Authorization DBM
A dedicated data base manager (DBM) of the I2A2 system supports the checking of characteristics. It's abbreviation
is authz. It's commonly called the "authorizer".
A characteristic has a name and a number associated with it. Both may be found in the characteristics page. The characteristic number is most often used when checking to see if a PUID has a characteristic associated with it.
The authorizer design expects that characteristic checking will be done with Boolean expressions, applied to the characteristics assigned to a specific PUID. The terms of the Boolean expression are usually characteristic numbers, combined with logical operators. The result of the check is a Boolean value: 1 if the expression evaluates to a true result; 0, to a false result.
Under carefully controlled conditions the authorizer will supply a list of the characteristic numbers assigned to an individual PUID. See Characteristics Lists for more information.
Characteristic Names and Macros
While the usual way to represent characteristics in a Boolean expression is by number, characteristics may also be represented
by their names or in combinations called macros.
A macro is usually a shorthand representation or a more complex Boolean expression. The shorthand representation makes the expression easier to remember and easier to use. For example, the authorization characteristics that allow use of the Purdue Air Link (PAL) wireless system is named PAL and currently contains a list of six alternate characteristic numbers that permit PAL access -- i.e., the six numbers are connected by Boolean or ('|') operators. The PAL macro combines the appropriate characteristics in a correct Boolean expression and makes their testing easy to express.
Currently defined macros may be viewed on the characteristics page. Macro definitions can only be made by I2A2 administrators. Contact them to discuss the possibility of assigning a macro to a characteristic expression.
Characteristics names are less commonly used in Boolean expressions, because they are long, hard to type and may contain special characters. If they are used, they should be cited exactly as they appear in the characteristics page and should be surrounded with double quote ('"') marks.
The currently defined characteristics are available on a
page that can be viewed. That page explains how to download a flat file of the current characteristics assignment.
Generally characteristics are derived from official University data, but I2A2 has provisions for defining new characteristics and associating them with specific PUIDs.
When the calling web server or application client program authenticates a PUID by supplying its correct authentication
credentials, it may obtain a list of the characteristics numbers associated with the PUID. That allows the web server or
application to provision future operations or the PUID based on its specific characteristics, once the owner of the PUID
has given the web server or application implicit permission to do that by surrendering the PUID's authentication credentials
Web servers and applications may obtain a characteristics list after a successful LDAP bind request has been completed (with an LDAP search request) or after a successful authentication function has been issued to the authorizer (with an authorizer list characteristics function.). While authenticating to the authorizer is a slight departure from I2A2 DBM philosophy, it is necessary in order for the authorizer to know that authentication has been performed.
To determine a characteristics Boolean expression value for a specific PUID these steps are required.
- Connect to the authorizer.
- Make a lookup request containing the Boolean expression.
- Parse the authorizer's reply for errors and information.
To obtain a characteristics list for a specific PUID, these steps are required:
- Connect to the authorizer.
- Authenticate the PUID via the authorizer.
- Request the characteristics list of the authenticated PUID's.
Making a lookup request to the authorizer and handling the authorizer's response are details of the I2A2 external protocol. Obtaining characteristics lists are described in the LDAP Interface to I2A2 and the authorizer list characteristics function.