Hi all, Going forward as initial solution,
*Initial Requirement* MDM has different authorization roles such as MDM Super Admin, MDM Admin, General User. MDM Super Admin has all privileges. MDM Admin has all privileges as MDM Super Adnim except assigning permission to roles. General User can control his own device only. General users are MDM consumers who are registered with MDM. Those users belongs to different logical groups such as sales, marketing ...etc. Operations which are allow to execute among different users depend on their logical groups. In simple term MDM Admin can enable WIFI only for marketing group not for sales group. *First step of solution * In the proposed solution inside Jaggery application router logic intercept the request which is PEP and send attributes to PDP typically XACML engine to get decision Permit or Deny. PEP Proxy is a intermediate library to handle communication between PEP and PDP (consume EntitlementAdminService). [image: Inline image 2] In order to evaluate against XACML policy, org.wso2.carbon.identity.entitlement.proxy component has been used available under platform/4.1.0/components/identity. *Add new policies to XACML engine * >From MDM perspective directly editing XML or editing XML form standard UI degrade the user experience of end user. As per MDM requirement we came up with simple UI which ask user to insert several parameters and according to users’ input from MDM back-end generate suitable XML representation XACML engine. *Concern* - XACML doesn't work properly on IS 4.1.0 released with Carbon 4.1.0 but it works in IS 4.5.0 which is planing to release with Carbon 4.2.0. Since mobile team has a protocol to use last released carbon version right now we can't shift into C 4.2.0. But later we can upgrade the product into C 4.2.0 and add entitlement feature. Thanks, Gayan On Tue, Aug 27, 2013 at 3:55 PM, Chan <[email protected]> wrote: > Hi all, > Today we had a discussion about the Permissions and Policy model of the > Mobile Platform - the attendees were - Harsha, Shan, Gayan, Dilshan, Dilan, > Mayuran, Kasun, Chan. > > We are first considering the Permission model. Gartner states permissions > as Access Management. > The users of the system will belong two groups essentially - > > Operator roles - admins, super admin > User roles - users > > > *Operator roles* > Super admin - Assign features to admins and what group the admin can > perform operations on > Admin - Perform operations to user roles > > We are also creating a bundle of permissions that can hold a set of > permissions. This set of permissions can be applied to set of users. But > the user can have only one bundle. > > > *Concern* - XACML doesn't work properly on Carbon 4.1.0 but it works in > Carbon 4.2.0 which will be released next week. To perform a full > integration - carbon 4.2.0 needs to be released. > > *Pre policy - After policy* > Before we enroll a device - we have a pre policy that checks for - > compliance (not rooted, not jailbroken etc.). Afterwards we have a policies > configured for the user role enforced on the device. > > *App Policy* > We are also going to separate the control in a Device and Application > level. The MDM policies set will say that these are the device level > policies and these are the App level policies. > > *Compliance model of Enforcement* > Some policies will be enforced with the compliance model. For an example > if Evernote is a blacklisted app - a notification will be sent to the user > and the user is restricted from accessing corporate resources. This can be > done by long-polling or event driven approach. > > *Suggestions* - > Have set of devices in the MDM sanctioned by the corporate. User's devices > will be filtered by the list. > -- > Chan (Dulitha Wijewantha) > Software Engineer - Mobile Development > WSO2Mobile > Lean.Enterprise.Mobileware > * ~Email [email protected]* > * ~Mobile +94712112165* > * ~Website dulithawijewantha.com > * > * ~Blog blog.dulithawijewantha.com<http://dulichan.github.io/chan/> > * > * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >
<<tt.png>>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
