5.3 Identity Management - Data Access Authorization Policy Management in the Cloud

****WORKING DOCUMENT****

5.3      Identity Management - Data Access Authorization Policy Management in the Cloud

Actors: cloud-subscriber, cloud-subscriber-user, cloud-subscriber-administrator, cloud-provider, identity-provider (optional)

Goals: A cloud-subscriber-administrator should be able to manage (add/delete/change) data access authorization policies for data stored in the cloud. Note: this capability is essential to fulfill the use case of Sharing of access to data in a cloud.

Assumption: The cloud-subscriber-user account has been already provisioned in the cloud, see use case Identity Management – User Account Provisioning. The cloud-provider has data access authorization mechanisms in place to use the authorization policies managed by the cloud-subscriber-administrator.

Success Scenario (IaaS, PaaS):

Steps: The cloud-subscriber-administrator authenticates and logs on to the cloud-provider's data access authorization policy tool (such as a command line tool to manage access to file system data objects in the cloud, or a Web interface to manage authorization policies to access data in a database). The cloud-subscriber-administrator executes commands or performs actions to create/change data access policies, e.g., change the ACL of a file system object. Optionally, the cloud-subscriber-administrator uploads prepared access authorization policies (such as encoded in XACML format) to the cloud-provider's bulk policy management interface. Immediately following the update, the affected cloud-subscriber-user will be able to access a data object or be denied access to a data object depending upon the new policy.

Failure Condition/Failure Handling:

Credit: