Security standards, authorization policies, and models
Authorization Policies
Organisations define security policies.
Some example business rules derived from policy are:
- "Contractors cannot access information marked commercial-in-confidence"
- "Only board members can know the existence of merger-related documentation"
- "Non-US citizens cannot read documents labelled NOFORN"
- "Personnel accessing information classified SECRET must have a SECRET or higher clearance"
These policies are typically defined in an IT-agnostic manner: the challenge for Architects is in architecting a system that provides sufficient compliance with these policies.
SharePoint in particular is a challenge, as it lacks any real Policy-based Authorization policy enforcement.
Models
SharePoint is often described as providing Role-based Access Controls. However, this is only partly true, as SharePoint lacks granular DENY rules. So in practice, more advanced RBAC-based policy modelling is simply not possible with SharePoint without substantial bespoke development or third party tools.
Role-based access controls - See NIST's RBAC community
Mandatory access controls -
Discretionary access controls -
Standards
XACML
The Extensible Access Control Markup Language (XACML) is intended to be a core XML schema for representing authorization and entitlement policies. It allows for an organisation to define its policies in a declarative manner.
XACML not supported by SharePoint.