# Attack Plan for Data Authorization # Introduction # Things to include - Update reference use case to include data authorization of nevernote - Patterns of Authorization - Access for other agents / people - Access for applications people use - Access for services (autonomous) - How an authorization need is expressed (access need vocab / model) - typically expressed by an application in a profile - can it be sent by another person - Application Profile / Access Needs - Projected User Experience for data authorization - Must include selection of categoric types - Must include selection of specific instances - Must include combination of the two (e.g. categoric with specific instance selection) - Must include support shape trees - Must include skos descriptions - Must provide simple and complex use cases for each - Must explain security considerations and how they are addressed - Access Grants - Establish a registry for these - What is included in these? - Should be referenceable via app registrations, and/or by agents that have been granted access - Shouldn't leak information between grantees - How does that end up affecting access grants for large groups? - How do we communicate to others that they have been given access, or had their access adjusted? Secondary priority (follow same pattern as done for data reg and app reg) - Trusted Applications (this section will need to be made) - How are trusted applications registered for various capabilities? (expand on current hard-coded predicated) - How do embedded, synchronous, and asynchronous patterns work for authorization use cases (and app registration, etc.) - Agent Registry - Registry of other known agents that we've interacted with - What goes into / gets stored in the registry? - Remote references - Whether or not access grants are important to the grantee, vs. storing some context in the remote reference (more likely)