The following is a list of terms used in the context of authorization rules. Some are industry standard and some have been adapted for use by ENC.
A security principal is an authenticated object – always a computer in ENC – that has proved its identity to the Gateway servers. The object is always referenced by its Uniform Resource Identifier (URI). This object is the entity making a request to access a secured object or operation. In ENC, a security principal is primarily an individual computer, though can also be referenced through a realm (group) of computers or a sub-group of computers defined by pattern matching against the URI.
The secured object is the target of an access request or operation. The secured object is always a computer named by URI, but access rules can apply to a single computer, a pattern matched set of computers, or a complete realm.
A realm is a logical grouping of computers for use by the authorization component upon a set of computers. In an outsourced scenario, a realm will usually represent computers at an organization or organizational unit level. Security Principals are mapped into a realm either by an exact match of the URI or by pattern matches against the URI.
ENC can use pattern matching in determining realm membership. The pattern matching uses regular expressions to perform the matching algorithm.
ENC uses PERL Compatible Regular Expressions (PCRE, see http://www.pcre.org/) for the pattern matching functionality. For the full syntax of PCRE, see http://perldoc.perl.org/perlre.html.
A TACE is a rule that defines whether or not a given operation (or operations) can be performed by a security principal against a secured object at a certain time. Some rules deny access, whilst others allow access. Deny type TACEs take precedence over Allow types. Any operations that have no matching rules are implicitly denied.
Important! The active time of an access control entry is always the local time of the target of an operation. If an agent wishes to connect to another agent in another time zone, the ENC Gateway Manager node will validate the time range within the context of the target agent.
A TACL is a list of TACE rules.
This term refers to the ENC nodes that provide the ENC virtual network infrastructure, including the Manager, Server and Router nodes, but not the ENC agents themselves.
A URI is a string used to name or identify or name a resource. ENC uses a URI to represent all authenticated objects.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|