Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

This page is no longer being updated and the information may be out of date.

5.3 Identity Management - Data Access Authorization Policy Management in the Cloud

****WORKING DOCUMENT****

5.3      Identity Management - Data Access Authorization Policy Management in the Cloud

Actors: cloud-subscriber, cloud-subscriber-user, cloud-subscriber-administrator, cloud-provider, identity-provider (optional)

Goals: A cloud-subscriber-administrator should be able to manage (add/delete/change) data access authorization policies for data stored in the cloud. Note: this capability is essential to fulfill the use case of Sharing of access to data in a cloud.

Assumption: The cloud-subscriber-user account has been already provisioned in the cloud, see use case Identity Management – User Account Provisioning. The cloud-provider has data access authorization mechanisms in place to use the authorization policies managed by the cloud-subscriber-administrator.

Success Scenario (IaaS, PaaS):

Steps: The cloud-subscriber-administrator authenticates and logs on to the cloud-provider's data access authorization policy tool (such as a command line tool to manage access to file system data objects in the cloud, or a Web interface to manage authorization policies to access data in a database). The cloud-subscriber-administrator executes commands or performs actions to create/change data access policies, e.g., change the ACL of a file system object. Optionally, the cloud-subscriber-administrator uploads prepared access authorization policies (such as encoded in XACML format) to the cloud-provider's bulk policy management interface. Immediately following the update, the affected cloud-subscriber-user will be able to access a data object or be denied access to a data object depending upon the new policy.

Failure Condition/Failure Handling:

Credit:

Created November 2, 2010, Updated August 12, 2025
Was this page helpful?