SlideShare a Scribd company logo

Modelling and evaluating complex user entitlements in directory services using JSON and REST

Mark Perry
Mark Perry

This document discusses modeling and evaluating complex user entitlements using JSON and REST. It provides background on the author and his experience in identity and access management. It then outlines ways to model entitlements using JSON attributes in a directory, including defining matching rules and constraints. Examples of modeling entitlements for employees and consumers are provided. Finally, it discusses evaluating entitlements via REST APIs and how Ping Data Governance can enable flexibility in modeling and modifying data returned to clients.

Technology
1 of 22
Download to read offline
Mark Perry, APAC CTO markperryau markperry@pingidentity.com Modelling and evaluating complex user entitlements in directory services using JSON and REST
• Based in Melbourne, Australia • Nearly 30 years in IT • Most in Identity • Likes whiskey, good coffee • Passionate about Australian Rules Football • Plays golf
Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS
Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3
• Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3 • Sun Microsystems • SunAM, SunIM, Liberty Alliance, SAML
• Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3 • Sun Microsystems • SunAM, SunIM, Liberty Alliance, SAML • Ping Identity • OAuth2, OIDC • Open Banking
LDAPsql • Command line tool • PL/SQL-like • Use SQL syntax against directories • Create views, synonyms, etc. • DISTINCT, COUNT, MAX, MIN, ORDER BY ASC DESC, etc. • Written in Java • Pretty output & LDIF • CRUD • INSERT is wizard- driven
8 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Ping Data Products Product Usage PingDirectory Data Store LDAP, REST, JSON Ping DataSync High speed data synchronisation Ping Directory Proxy LDAP proxy Load balancing Rate limiting Operation balancing Ping DataGovernance Data Access Proxy/Service Policy Engine Data transformation pingidentity.com
Entitlements 9 Copyright © 2019, Ping Identity Corporation. All rights reserved.
Two Questions Entitlements Answer § What can Bob do in this context? § What do you know about Alice? (all authorisations)
Why Store Entitlements In The Directory? § Centralisation – Single View, Audit § Control – Limit rogue admins § Performance – vs CRM, MDM, etc. § Access – Developer friendly
12 Copyright © 2019, Ping Identity Corporation. All rights reserved. Ways of Managing Entitlements § Group memberships – memberOf § nsRole – Static, dynamic § Attribute-based – Delimited attribute – JSON
13 Copyright © 2019, Ping Identity Corporation. All rights reserved. Using JSON Attributes § Schema Definition dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( jsonAttr1-OID NAME ‘entitlement' DESC ‘entitlement json attribute' EQUALITY jsonObjectExactMatch SYNTAX 1.3.6.1.4.1.30221.2.3.4 USAGE userApplications ) objectClasses: ( jsonObjectClass-OID NAME 'jsonObjectClass' AUXILIARY MAY entitlement )
14 Copyright © 2019, Ping Identity Corporation. All rights reserved. Modelling JSON Attributes § Matching Rules – jsonObjectCaseSensitiveNamesCaseSensitiveValues – jsonObjectCaseInsensitiveNamesCaseInsensitiveValues – jsonObjectCaseInsensitiveNamesCaseSensitiveValues § Constraints – Requiring values of the field to have a specified data type. – Indicating whether the field is required or optional. – Indicating whether the field can have multiple values in an array. If a field is permitted to have array values, restrictions can also be placed on the number of elements that can be present in the array. – Indicating whether the field can have a value that is the null primitive as an alternative to values of the indicated data type. – Restricting values of string fields to a predefined set of values, that match a given regular expression, or a specified length. – Restricting values of numeric fields with upper and lower bounds.
15 Copyright © 2019, Ping Identity Corporation. All rights reserved. Using JSON Attributes § Searches Equals field filter type $ bin/ldapsearch -p 1389 -b dc=example,dc=com -D "cn=Directory Manager" -w password ‘(entitlement:jsonObjectFilterExtensibleMatch:={ "filterType" : "equals", "field" : ["stuff", "onetype", "name"], "value" : "John Doe" })’ Contains field filter type $ bin/ldapsearch -p 1389 -b dc=example,dc=com -D "cn=Directory Manager" -w password ‘(entitlement:jsonObjectFilterExtensibleMatch:={ "filterType" : "containsField", "field" : "age", "expectedType" : "number" })'
16 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Modelling Entitlements {”entitlement”: { ”location”: ”East”, ”role”: ”Teller” }} Nesting is possible! {”entitlement”: { ”location”: ”East”, ”role”: { ”desc”: ”Teller”, ”jobCode”: ”3458645” … } }}
17 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Examples § Employees – Access rights for applications – Role, location, time, etc. – Relationships › Teams › Cross-brand § Consumers – Access rights for services – Cross-product – Consent – Relationships › Families › Associations – Churn
18 Copyright © 2019, Ping Identity Corporation. All rights reserved. Evaluating Entitlements § How much to model and maintain in schema? § Do different apps need different values? § Represent in OAuth scopes? Or apps to perform REST calls at runtime? § Dynamic creation of entitlements in a data access gateway
19 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Ping Data Governance Sensitive Data 𝛍APIClients API Proxy Fine-Grained Access Control Policy Engine (PEP - Policy Enforcement Point) (PDP - Policy Decision Point) (PIP - Policy Information Points) Entitlements
20 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Enables Flexibility and Ease of Modelling § Can modify data returned to clients depending on their requirements § OAuth Token Exchange (soon) § Drag and drop policy creation tool (no XACML!)
21 Copyright © 2019, Ping Identity Corporation. All rights reserved. Summary § Entitlements are growing in importance for customers – And they want guidance from us § Modelling entitlements using JSON § Evaluating entitlements via REST APIs § Directories continue to have a huge role to play in securing access
22 Copyright © 2019, Ping Identity Corporation. All rights reserved. markperry@pingidentity.com markperryid.com markperryau

Recommended

Generating docs from APIs
Generating docs from APIsGenerating docs from APIs
Generating docs from APIs
jamiehannaford
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
Codemotion
 
Cdm mil-18 - hypermedia ap is for headless platforms and data integration
Cdm mil-18 - hypermedia ap is for headless platforms and data integrationCdm mil-18 - hypermedia ap is for headless platforms and data integration
Cdm mil-18 - hypermedia ap is for headless platforms and data integration
David Gómez García
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
Amazon Web Services
 
What’s the big deal with Graph Databases?
What’s the big deal with Graph Databases?What’s the big deal with Graph Databases?
What’s the big deal with Graph Databases?
Daniel Zivkovic
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Amazon Web Services
 
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
Amazon Web Services
 

Recommended

Generating docs from APIs
Generating docs from APIsGenerating docs from APIs
Generating docs from APIs
jamiehannaford
 
Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0Application development with Oracle NoSQL Database 3.0
Application development with Oracle NoSQL Database 3.0
Anuj Sahni
 
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
David Gómez G. - Hypermedia APIs for headless platforms and Data Integration ...
Codemotion
 
Cdm mil-18 - hypermedia ap is for headless platforms and data integration
Cdm mil-18 - hypermedia ap is for headless platforms and data integrationCdm mil-18 - hypermedia ap is for headless platforms and data integration
Cdm mil-18 - hypermedia ap is for headless platforms and data integration
David Gómez García
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
Amazon Web Services
 
What’s the big deal with Graph Databases?
What’s the big deal with Graph Databases?What’s the big deal with Graph Databases?
What’s the big deal with Graph Databases?
Daniel Zivkovic
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Amazon Web Services
 
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
Amazon Web Services
 
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
kriszyp
 
Pattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitecturePattern Driven Enterprise Architecture
Pattern Driven Enterprise Architecture
WSO2
 
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
Amazon Web Services
 
Making Sense of Schema on Read
Making Sense of Schema on ReadMaking Sense of Schema on Read
Making Sense of Schema on Read
Kent Graziano
 
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdfRET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
Amazon Web Services
 
Database su AWS scegliere lo strumento giusto per il giusto obiettivo
Database su AWS scegliere lo strumento giusto per il giusto obiettivoDatabase su AWS scegliere lo strumento giusto per il giusto obiettivo
Database su AWS scegliere lo strumento giusto per il giusto obiettivo
Amazon Web Services
 
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
Amazon Web Services
 
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in... 0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
Amazon Web Services
 
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
Amazon Web Services
 
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
Amazon Web Services
 
MySQL Enterprise Data Masking
MySQL Enterprise Data MaskingMySQL Enterprise Data Masking
MySQL Enterprise Data Masking
Georgi Kodinov
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
Antonio Peric-Mazar
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
Amazon Web Services
 
From SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSONFrom SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSON
Keshav Murthy
 
AWS Neptune - A Fast and reliable Graph Database Built for the Cloud
AWS Neptune - A Fast and reliable Graph Database Built for the CloudAWS Neptune - A Fast and reliable Graph Database Built for the Cloud
AWS Neptune - A Fast and reliable Graph Database Built for the Cloud
Amazon Web Services
 
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
Amazon Web Services
 
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
Amazon Web Services
 
Services for Science
Services for ScienceServices for Science
Services for Science
Ian Foster
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
Deep Dive on Amazon Neptune - AWS Online Tech Talks
Deep Dive on Amazon Neptune - AWS Online Tech TalksDeep Dive on Amazon Neptune - AWS Online Tech Talks
Deep Dive on Amazon Neptune - AWS Online Tech Talks
Amazon Web Services
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

More Related Content

Similar to Modelling and evaluating complex user entitlements in directory services using JSON and REST

Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
kriszyp
 
Pattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitecturePattern Driven Enterprise Architecture
Pattern Driven Enterprise Architecture
WSO2
 
Making Sense of Schema on Read
Making Sense of Schema on ReadMaking Sense of Schema on Read
Making Sense of Schema on Read
Kent Graziano
 
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdfRET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
Amazon Web Services
 
From SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSONFrom SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSON
Keshav Murthy
 

Similar to Modelling and evaluating complex user entitlements in directory services using JSON and REST (20)

Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
 
Pattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitecturePattern Driven Enterprise Architecture
Pattern Driven Enterprise Architecture
 
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
0 to 60 with AWS AppSync: Rapid Development Techniques for Mobile APIs (MOB32...
 
Making Sense of Schema on Read
Making Sense of Schema on ReadMaking Sense of Schema on Read
Making Sense of Schema on Read
 
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdfRET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
RET305-Turbo Charge Your E-Commerce Site wAmazon Cache and Search Solutions.pdf
 
Database su AWS scegliere lo strumento giusto per il giusto obiettivo
Database su AWS scegliere lo strumento giusto per il giusto obiettivoDatabase su AWS scegliere lo strumento giusto per il giusto obiettivo
Database su AWS scegliere lo strumento giusto per il giusto obiettivo
 
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
SRV423 [new launch] Introducing Amazon Macie — Visibility and Security for yo...
 
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in... 0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
0 to 100kmh with GraphQL - Rapid API Prototyping using serverless backend in...
 
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
MCL204_How Washington County Sherriff’s Office is using Amazon AI to Identify...
 
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
The Unusual Suspect: How Washington County Sheriff’s Office is using Amazon A...
 
MySQL Enterprise Data Masking
MySQL Enterprise Data MaskingMySQL Enterprise Data Masking
MySQL Enterprise Data Masking
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
 
From SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSONFrom SQL to NoSQL: Structured Querying for JSON
From SQL to NoSQL: Structured Querying for JSON
 
AWS Neptune - A Fast and reliable Graph Database Built for the Cloud
AWS Neptune - A Fast and reliable Graph Database Built for the CloudAWS Neptune - A Fast and reliable Graph Database Built for the Cloud
AWS Neptune - A Fast and reliable Graph Database Built for the Cloud
 
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
AWS AI Media & Entertainment Seminar - NYC, August 15, 2017
 
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
0 to 100kmh with GraphQL. Rapid API Prototyping usingserverless backend in t...
 
Services for Science
Services for ScienceServices for Science
Services for Science
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Deep Dive on Amazon Neptune - AWS Online Tech Talks
Deep Dive on Amazon Neptune - AWS Online Tech TalksDeep Dive on Amazon Neptune - AWS Online Tech Talks
Deep Dive on Amazon Neptune - AWS Online Tech Talks
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Modelling and evaluating complex user entitlements in directory services using JSON and REST

  • 1. Mark Perry, APAC CTO markperryau markperry@pingidentity.com Modelling and evaluating complex user entitlements in directory services using JSON and REST
  • 2. • Based in Melbourne, Australia • Nearly 30 years in IT • Most in Identity • Likes whiskey, good coffee • Passionate about Australian Rules Football • Plays golf
  • 3. Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS
  • 4. Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3
  • 5. • Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3 • Sun Microsystems • SunAM, SunIM, Liberty Alliance, SAML
  • 6. • Career in IAM and Digital Identity • IBM • /etc/password, YP, NIS • Netscape • Directory Server v1 & 3 • Sun Microsystems • SunAM, SunIM, Liberty Alliance, SAML • Ping Identity • OAuth2, OIDC • Open Banking
  • 7. LDAPsql • Command line tool • PL/SQL-like • Use SQL syntax against directories • Create views, synonyms, etc. • DISTINCT, COUNT, MAX, MIN, ORDER BY ASC DESC, etc. • Written in Java • Pretty output & LDIF • CRUD • INSERT is wizard- driven
  • 8. 8 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Ping Data Products Product Usage PingDirectory Data Store LDAP, REST, JSON Ping DataSync High speed data synchronisation Ping Directory Proxy LDAP proxy Load balancing Rate limiting Operation balancing Ping DataGovernance Data Access Proxy/Service Policy Engine Data transformation pingidentity.com
  • 9. Entitlements 9 Copyright © 2019, Ping Identity Corporation. All rights reserved.
  • 10. Two Questions Entitlements Answer § What can Bob do in this context? § What do you know about Alice? (all authorisations)
  • 11. Why Store Entitlements In The Directory? § Centralisation – Single View, Audit § Control – Limit rogue admins § Performance – vs CRM, MDM, etc. § Access – Developer friendly
  • 12. 12 Copyright © 2019, Ping Identity Corporation. All rights reserved. Ways of Managing Entitlements § Group memberships – memberOf § nsRole – Static, dynamic § Attribute-based – Delimited attribute – JSON
  • 13. 13 Copyright © 2019, Ping Identity Corporation. All rights reserved. Using JSON Attributes § Schema Definition dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( jsonAttr1-OID NAME ‘entitlement' DESC ‘entitlement json attribute' EQUALITY jsonObjectExactMatch SYNTAX 1.3.6.1.4.1.30221.2.3.4 USAGE userApplications ) objectClasses: ( jsonObjectClass-OID NAME 'jsonObjectClass' AUXILIARY MAY entitlement )
  • 14. 14 Copyright © 2019, Ping Identity Corporation. All rights reserved. Modelling JSON Attributes § Matching Rules – jsonObjectCaseSensitiveNamesCaseSensitiveValues – jsonObjectCaseInsensitiveNamesCaseInsensitiveValues – jsonObjectCaseInsensitiveNamesCaseSensitiveValues § Constraints – Requiring values of the field to have a specified data type. – Indicating whether the field is required or optional. – Indicating whether the field can have multiple values in an array. If a field is permitted to have array values, restrictions can also be placed on the number of elements that can be present in the array. – Indicating whether the field can have a value that is the null primitive as an alternative to values of the indicated data type. – Restricting values of string fields to a predefined set of values, that match a given regular expression, or a specified length. – Restricting values of numeric fields with upper and lower bounds.
  • 15. 15 Copyright © 2019, Ping Identity Corporation. All rights reserved. Using JSON Attributes § Searches Equals field filter type $ bin/ldapsearch -p 1389 -b dc=example,dc=com -D "cn=Directory Manager" -w password ‘(entitlement:jsonObjectFilterExtensibleMatch:={ "filterType" : "equals", "field" : ["stuff", "onetype", "name"], "value" : "John Doe" })’ Contains field filter type $ bin/ldapsearch -p 1389 -b dc=example,dc=com -D "cn=Directory Manager" -w password ‘(entitlement:jsonObjectFilterExtensibleMatch:={ "filterType" : "containsField", "field" : "age", "expectedType" : "number" })'
  • 16. 16 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Modelling Entitlements {”entitlement”: { ”location”: ”East”, ”role”: ”Teller” }} Nesting is possible! {”entitlement”: { ”location”: ”East”, ”role”: { ”desc”: ”Teller”, ”jobCode”: ”3458645” … } }}
  • 17. 17 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Examples § Employees – Access rights for applications – Role, location, time, etc. – Relationships › Teams › Cross-brand § Consumers – Access rights for services – Cross-product – Consent – Relationships › Families › Associations – Churn
  • 18. 18 Copyright © 2019, Ping Identity Corporation. All rights reserved. Evaluating Entitlements § How much to model and maintain in schema? § Do different apps need different values? § Represent in OAuth scopes? Or apps to perform REST calls at runtime? § Dynamic creation of entitlements in a data access gateway
  • 19. 19 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Ping Data Governance Sensitive Data 𝛍APIClients API Proxy Fine-Grained Access Control Policy Engine (PEP - Policy Enforcement Point) (PDP - Policy Decision Point) (PIP - Policy Information Points) Entitlements
  • 20. 20 Confidential - Do not distribute. Copyright © 2019, Ping Identity Corporation. All rights reserved. Enables Flexibility and Ease of Modelling § Can modify data returned to clients depending on their requirements § OAuth Token Exchange (soon) § Drag and drop policy creation tool (no XACML!)
  • 21. 21 Copyright © 2019, Ping Identity Corporation. All rights reserved. Summary § Entitlements are growing in importance for customers – And they want guidance from us § Modelling entitlements using JSON § Evaluating entitlements via REST APIs § Directories continue to have a huge role to play in securing access
  • 22. 22 Copyright © 2019, Ping Identity Corporation. All rights reserved. markperry@pingidentity.com markperryid.com markperryau