OASIS Cloud Authorization (CloudAuthZ) Technical Committee

The official charter for this Technical Committee is provided below. (For additional information, see the Call for Participation that was issued when this TC was formed.)

  1. The name of the TC

    OASIS Cloud Authorization (CloudAuthZ) Technical Committee

  2. Statement of Purpose

    As Cloud Computing gains traction in the industry, Cloud providers face challenges from the lack of standardized profiles for authorization and entitlements. In Cloud Computing Systems, resources such as bandwidth and memory are constrained. There are, for example, use cases where the access policy enforcement of a cloud resource needs to be performed as close to the Consumer as possible. In addition, in most enforcement models, there are general requirements for making attributes, including contextual attributes, readily available to Policy Enforcement Points in order to streamline calls to the authorization engine. This requires availability of attributes including contextual attributes. Additionally, since the computing resources are limited, there are use cases where there is a need for the Policy Enforcement Point to obtain the contextual entitlements that the Consumer has with one call, rather than perform a large number of calls to the authorization engine as seen in the classic enforcement model.

    The CloudAuthZ Technical Committee will use existing, well designed standards, to provide mechanisms for enabling the delivery of cloud contextual attributes to Policy Enforcement Points. Such mechanisms can enable the development of cloud infrastructures that provide in real time a subset of contextual entitlements sets that a decision point can use to authorize or deny a Consumer’s use of a specific resource. By developing standard mechanisms to do this, the need to customize the interactions between customer and vendor systems will be reduced, the overhead needed to support authorization and entitlement will decrease, and portability across multiple systems will be enhanced.

    The CloudAuthZ Technical Committee will use existing, well designed standards to provide mechanisms for enabling the delivery of contextual entitlements to the Policy Enforcement Points.

  3. Scope of work

    The purpose of this TC is to generate profiles for Cloud authorization and entitlements. The group’s goal is to define configurations of relevant standards that enable authorization policies to be enforced in the most optimal way possible. In addition, these profiles will offer standardized mechanisms for compliance monitoring. The TC will develop techniques that allow a Consumer to receive a set of allowed entitlements and will develop authorization mechanisms that can use these entitlements to determine applicable contextual policies in real time.

    1. The TC will define use cases for authorization and entitlements in a Cloud Computing context. These may be new or existing use cases as the TC determines. The TC may reuse use cases identified by the OASIS Identity in the Cloud (IDCloud) TC in the context of Cloud authorization.
    2. When necessary, the TC will work on defining missing specifications for Cloud authorization and entitlements. The TC will reuse as a primary objective, existing standards as well as standards that are being developed in the area of scope. The TC will make an effort to not reinvent the wheel.
    3. The TC will generate Cloud authorization and entitlements profiles for Platform As A Service (PaaS), Infrastructure As a Service (IaaS), and Software As a Service (SaaS) models of Cloud Computing.
    4. In all of its work, the TC should, to the extent feasible, prefer widely implementable, widely interoperable, modular standards, extensions, profiles, and methods that permit use by a variety of participants.

    Out of Scope: Identity Management Provisioning.

  4. List of deliverables
    1. A document calling out in detail the specific use cases of authorization and entitlements in a Cloud Computing context that the TC plans to address in its Work Products. This document will be completed and approved by the TC by January 2013. This document will be a Non-Standards Track Work Product.
    2. A Glossary defining key terms as the TC intends them to be used in its Work Products. The Glossary will be a Non-Standards Track Work Product.
    3. A document detailing the configuration of relevant standards in order to allow enforcement of authorization policies to be carried out using the Cloud Computing Models of IaaS, PaaS, and SaaS. This document will be completed and approved by the TC by June 2013. This document will be a Standards Track Work Product.
    4. A document detailing the configuration of relevant standards/specifications to define the download of contextual entitlements in a single call to a Policy Enforcement Point, using the Cloud Computing Models of IaaS, PaaS, and SaaS as examples in this document. This document will be completed and approved by the TC by December 2013. This document will be a Standards Track Work Product.
  5. IPR Mode under which the TC will operate

    The CloudAuthZ TC will operate under the Non-Assertion IPR mode as defined in the OASIS Intellectual Property Rights (IPR) Policy effective 15 October 2010.

  6. Anticipated audience or users

    The CloudAuthZ TC is intended for the following audiences: architects, designers and implementers of Cloud Computing Infrastructure and Services.

  7. Language

    TC business will be conducted in English. The output documents will be written in English.