Spec: comment aam spec file

[cdupont]

Initial Authentication and Authorization Manager (AAM) spec file is here:
https://github.com/Waziup/Platform/blob/master/identity/access_control_spec.md

[cdupont]

Some comments:

Basic roles:

• Developer – develops and publishes an app, provides support
• User – subscribes to an app
• Data provider – provides data (in the form of data channels) to the platform

Roles can be also mixed – e.g. if a user owns the sensors and acts also as a data p

I think those roles are concretely just set of policies in the aam. They are not directly visible to the users.
When a new user registers with the platform, they gain all three roles: dev access, user of apps, data provider.

Data subscription models:

• Data are subscribed to by developers, who provide data in their apps to users.
  (A business model could be based on of a flat rate or on the amount of users or requests served with the data.)
• Data are subscribed to by users (or by developers on behalf of users). Users provide data to apps in order to benefit from some analytics/visualization offered by the apps.
  (A business model could be based on a flat rate or on amount of apps or requests consuming the data.)

Subscriptions on data sources can be made on Orion: https://fiware-orion.readthedocs.io/en/master/user/walkthrough_apiv2/index.html#subscriptions

But Orion doesn't seem to support specific authorizations mechanism: http://fiware-orion.readthedocs.io/en/0.25.0/user/security/index.html
Although there are mechanisms called "Fiware-service" and "Fiware-ServicePath", meant to provide tenant isolation and entity hierarchical scoping, respectively:
http://fiware-orion.readthedocs.io/en/master/user/service_path/
#49

I don't think that the aam should keep track of every single entity created in Orion... However we could decide to create a "Fiware-Service" for each user registered. The aam could then grant access to this specific Fiware-Service.

Authentication/authorization manager (AAM) keeps track of the following:

• developers, users and data providers - Each entity has one single identity, but may assume multiple roles.

What do you call identity here?

• applications published in the platform

Deis has its own registration mechanism:
https://deis.com/docs/workflow/users/registration/
When a user register with the platform, I suppose we can register him with deis immediately (same login/password). This gives us a token, that can be used in subsequent API uses. What do you think?

• what applications users are subscribed to and when their subscription ends

Waziup should probably provide authentication as a service to apps. It could be a front-end authentication page (login/password) for applications pushed... This page would be presented before the user can access an application.

• data channels a data provider provides and of the associated business model
• data channels a developer/user is subscribed to, under which business model and when the subscription ends
• data channels that an application is authorized to use on behalf of a developer or a user

As said I don't think the aam should be aware of all the entities/subscriptions...

When a developer publishes an application, it authorizes it to use some of the data channels he/she is subscribed to.
When a use subscribes to an application, he/she authorizes to use certain data on his/her behalf.

[cdupont]

too old, closing