Authorization
Authorization determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources.
The I2A2 Authorization DBM
A dedicated data base manager (DBM) of the I2A2 system supports the checking of characteristics. It's abbreviation
is authz. It's commonly called the "authorizer".
A characteristic has a name and a number associated with it. Both may be found in the
characteristics page. The characteristic number is most often
used when checking to see if a PUID has a characteristic associated with it.
The authorizer design expects that characteristic checking will be done with
Boolean expressions,
applied to the characteristics assigned to a specific PUID. The terms of the Boolean expression are usually characteristic
numbers, combined with logical operators. The result of the check is a Boolean value: 1 if the expression evaluates to a
true result; 0, to a false result.
Under carefully controlled conditions the authorizer will supply a list of the characteristic numbers assigned to an
individual PUID. See Characteristics Lists for more information.
Characteristic Names and Macros
While the usual way to represent characteristics in a Boolean expression is by number, characteristics may also be represented
by their names or in combinations called macros.
A macro is usually a shorthand representation or a more complex Boolean expression. The shorthand representation makes
the expression easier to remember and easier to use. For example, the authorization characteristics that allow use of the
Purdue Air Link (PAL) wireless system is named PAL and currently contains a list of six alternate characteristic numbers
that permit PAL access -- i.e., the six numbers are connected by Boolean or ('|') operators. The PAL macro combines the
appropriate characteristics in a correct Boolean expression and makes their testing easy to express.
Currently defined macros may be viewed on the characteristics
page. Macro definitions can only be made by I2A2 administrators. Contact them
to discuss the possibility of assigning a macro to a characteristic expression.
Characteristics names are less commonly used in Boolean expressions, because they are long, hard to type and may contain
special characters. If they are used, they should be cited exactly as they appear in the
characteristics page and should be surrounded with double quote ('"') marks.
Current Characteristics
The currently defined characteristics are available on a
page that can be viewed. That page explains how to download a flat file of the current characteristics assignment.
Generally characteristics are derived from official University data, but I2A2 has provisions for defining
new characteristics and associating them with specific PUIDs.
Characteristics Lists
When the calling web server or application client program authenticates a PUID by supplying its correct authentication
credentials, it may obtain a list of the characteristics numbers associated with the PUID. That allows the web server or
application to provision future operations or the PUID based on its specific characteristics, once the owner of the PUID
has given the web server or application implicit permission to do that by surrendering the PUID's authentication credentials
Web servers and applications may obtain a characteristics list after a successful
LDAP bind request has been completed (with an
LDAP search request) or after a successful authentication
function has been issued to the authorizer (with an authorizer
list characteristics function.). While authenticating
to the authorizer is a slight departure from I2A2 DBM philosophy, it is necessary in order for the authorizer
to know that authentication has been performed.
How To
To determine a characteristics Boolean expression value for a specific PUID these steps are required.
- Connect to the authorizer.
- Make a lookup request containing the Boolean expression.
- Parse the authorizer's reply for errors and information.
To obtain a characteristics list for a specific PUID, these steps are required:
- Connect to the authorizer.
- Authenticate the PUID via the authorizer.
- Request the characteristics list of the authenticated PUID's.
Details
Making a lookup request to the authorizer and handling the authorizer's response are details of the I2A2 external protocol. Obtaining characteristics lists are described in the LDAP Interface to I2A2 and the authorizer list characteristics function.