Example of resource-based authorization

Dec 12, 2009 at 1:31 AM

Understanding that application-specific notions probably don't belong in claims it might be useful to have a practical example that talks about how to map these concepts.  For example if I have a medical system where I am limited to see a specific set of patients what would I leave within the claim and how would that map to the role, action and resource?

Coordinator
Jan 6, 2010 at 7:45 PM

"Understanding that application-specific notions probably don't belong in claims..."

This is not necessarily true. An "R-STS" knows about application specific claims. For example, roles are typically app specific. I think the issue is around the right granularity for claims based authz so you don;t end up with an explosion of claims (e.g. a claim for each patient a doctor has access to). In your example roles and actions are probably good candidates. resources? maybe.... i guess you could have a claim for grouping patients (e.g. "ER", "Post Surgery", "Oncology", etc).

 

Coordinator
Jan 6, 2010 at 7:59 PM
Edited Jan 6, 2010 at 7:59 PM

Here's also a good discussion related to this:  http://blogs.msdn.com/vbertocci/archive/2009/12/01/good-claims-bad-claims-1-an-example.aspx