Authorization Server Project

Authorization is a common feature and need among computer applications. Many applications provide similar authorization functions, e.g., authorizing by group in addition to by individual, and logical/boolean combinations of user/group attributes to identify those authorized to use a resource. The authorization server is designed to meet and serve the needs of a variety of applications.

Providing authorization services through a published protocol clearly separates language binding and user interface issues from backend design. The authorization server focuses on backend design by minimizing initial frontend requirements. Choosing an existing protocol LDAP for the authorization server allows immediate productive use of existing LDAP tools (clients, editors, browsers, import utilities and formats). So the authorization server is implemented as an LDAP server, and any use of it is either with completely usual LDAP queries or updates for administration; or with formally correct LDAP queries with included tokens to trigger their special use as authorization queries.

The authorization server uses three LDAP subtrees, matching the functional needs of authorization with the operation of an LDAP server. The principal tree contains attributes of any user, group, or program entity who/which might be authorized to act in some way with regard to a specific resource. These attributes can either explicitly state membership in groups, or imply this by each group member sharing the same value of a shared attribute. The profile tree holds various profiles, each of which defines the permissions allowed different sets of users. Sets of users are specified by giving boolean conditions on principal attributes. The resource tree contains resources protected by the authorization server, and pairs each resource with a specific profile.

Administrative update of this database uses a "straight" the LDAP protocol. A special usage includes signifying tokens in a formally correct syntax. This marks special processing of the three LDAP subtrees to resolve an authorization query.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.