[1445] in SAPr3-news
Re: THE authorization Concept. (R3)
daemon@ATHENA.MIT.EDU (greywolf@wco.com)
Sat Jun 1 23:37:58 1996
To: sapr3-news@MIT.EDU
Date: 29 May 1996 05:38:44 GMT
From: greywolf@wco.com
Reply-To: greywolf@wco.com
At my company, we establish what we call role profiles. These are, technically,
a composite profile that are directly related to a generic role assigned to an end
user by the configuration staff.
For each of these role profiles, the configurators list all the transactions that
each role needs. Based on this list we (security administrators) define
authorizations needed to satisfy each transaction. We then group the
authorizations into simple profiles that satisfy one (or possibly two or three)
transactions. We then assemble the list of profiles that are needed to run
the list of transactions into the role (composite) profile.
This way if you ever need to remove access, all you need to do is remove the
simple profile that governs that transaction.
It would also be a good idea to keep an "encyclopedia" of the many simple
profiles that are created. This will help the team practice reuse of knowledge,
rather than build many identical profiles with different naming conventions.
Not to mention save time and money.
Regards,
Matthew Burry
