top of page
  • Shawn McKinney
    • Jun 11, 2015
    • 2 min read

What is Delegated Administration?


DEFINED

The ability to control access on the security system itself. This control is exercised inside the policy administration programs.

In addition to what functions may be executed, we must control which entities to operate on. A common use case is to allow User X the ability to reset and unlock passwords only for Users within Organization Y. Another is the administrator may only assign a specific subset of Roles to Users who reside inside their Organization. Additionally we must also be able to limit an Administrator to a specific subset of Roles in which to Grant to a subset of Permissions. Indeed every API that changes state inside the back-end security repository must be governed via a well understood delegated administration policy.

ADMINISTRATIVE ROLE-BASED ACCESS CONTROL (ARBAC)

Apache Fortress has implemented ARBAC02. [link to paper]. This is a formal model for Delegated Administration and builds on the ANSI RBAC specification. The control is marshaled into three interfaces:

  1. Delegated Admin Manager – Provides CRUD for related entities like Administrative Roles and Permissions.

  2. Delegated Review Manager – Interrogation of Delegated Admin policy objects.

  3. Delegated Access Manager – Enforcement of Delegated Administration Policies.

1 & 2 are for management of the Delegated Admin policies themselves. 3 is for enforcement of Delegated Admin policies at runtime.

DELEGATED ADMIN POLICY ENFORCEMENT

There are two types of controls:

  1. Ensure that the caller has the permission to call the security administrative method (e.g. addUser, addRole, addPermission,…)

  2. Ensure the caller is entitled to perform the function for a given organization (e.g. which Users and Permissions to grant access rights).

With Fortress, the Delegated Administration control is baked into its APIs. The enforcement occurs during API invocation which means it can’t be circumvented by poorly implemented administrative programs.

In addition to control, every API invocation leaves an audit trail so you may determine what policies changed, by whom, when and where.

120 views0 comments

Recent Posts

See All

OpenLDAP & LMDB Sizing Guide

Jan 17, 2022 Introduction Symas OpenLDAP configured with LMDB has been extensively tested and its performance characteristics are well understood. Both OpenLDAP and LMDB’s scaling characteristics are

Implementing LDAPS in Symas OpenLDAP 2.5+

Please note that the certificates must be in a pem format (.pem or .crt). You will need three certificates: Root CA certificate, server certificate (with the fqdn of server in subject line or in the s

bottom of page