Trusted Subsystem

Context

Your application needs to access a downstream resource, typically a database, and you need to decide where to authorize the original caller who initiates the operation and what account to use to access the downstream resource.

Problem

• Where to perform authorization and what account(s) to use access the downstream resource.

Forces

• You want to maximize scalability (and enable connection pooling).
• You want to restrict the number of accounts that access the database (minimize work for the database admin).
• You don't need to flow the caller's security context at the OS level (e.g. for auditing across ths tiers).
• Your database admin is willing to trust your application to authorize its callers.

Solution

• Authentication and authorize callers in the front-end application or service.
• Use one (or a limited numbder of) trusted service identities to access the database.
• Restrict the trusted service identity or identities in the database.