Trusted Subsystem
From Guidance Share
Jump to navigationJump to search
Context
Your application needs to access a downstream resource, typically a database, and you need to decide where to authorize the original caller who initiates the operation and what account to use to access the downstream resource.
Problem
- Where to perform authorization and what account(s) to use access the downstream resource.
Forces
- You want to maximize scalability (and enable connection pooling).
- You want to restrict the number of accounts that access the database (minimize work for the database admin).
- You don't need to flow the caller's security context at the OS level (e.g. for auditing across ths tiers).
- Your database admin is willing to trust your application to authorize its callers.
Solution
- Authentication and authorize callers in the front-end application or service.
- Use one (or a limited numbder of) trusted service identities to access the database.
- Restrict the trusted service identity or identities in the database.