Authorization Policies

Organisations define security policies.

Some example business rules derived from policy are:

• "Contractors cannot access information marked commercial-in-confidence"
• "Only board members can know the existence of merger-related documentation"
• "Non-US citizens cannot read documents labelled NOFORN"
• "Personnel accessing information classified SECRET must have a SECRET or higher clearance"

These policies are typically defined in an IT-agnostic manner: the challenge for Architects is in architecting a system that provides sufficient compliance with these policies.

SharePoint in particular is a challenge, as it lacks any real Policy-based Authorization policy enforcement.

Models

SharePoint is often described as providing Role-based Access Controls. However, this is only partly true, as SharePoint lacks granular DENY rules. So in practice, more advanced RBAC-based policy modelling is simply not possible with SharePoint without substantial bespoke development or third party tools.

Role-based access controls - See NIST's RBAC community
Mandatory access controls -
Discretionary access controls -

Standards

XACML

The Extensible Access Control Markup Language (XACML) is intended to be a core XML schema for representing authorization and entitlement policies. It allows for an organisation to define its policies in a declarative manner.

XACML not supported by SharePoint.