Trusted Subsystem

From Guidance Share
Jump to navigationJump to search

Context

Your application needs to access a downstream resource, typically a database, and you need to decide where to authorize the original caller who initiates the operation and what account to use to access the downstream resource.


Problem

  • Where to perform authorization and what account(s) to use access the downstream resource.


Forces

  • You want to maximize scalability (and enable connection pooling).
  • You want to restrict the number of accounts that access the database (minimize work for the database admin).
  • You don't need to flow the caller's security context at the OS level (e.g. for auditing across ths tiers).
  • Your database admin is willing to trust your application to authorize its callers.


Solution

  • Authentication and authorize callers in the front-end application or service.
  • Use one (or a limited numbder of) trusted service identities to access the database.
  • Restrict the trusted service identity or identities in the database.