Develop Access Control Rules

This article uses the business rules from the previous section to guide you through the process of codifying the rules in terms of the GFIPM user metadata.

Note that this section uses the NIEF federation as an example for developing access control rules. Specifically, this section relies on the required and recommended attributes in a SAML assertion. If you are building an SP for a different federation, your set of metadata attributes may be different. However, it is likely that there will be many similarities to the NIEF requirements.

The access control rules are written in terms of attributes in the GFIPM user metadata. The minimal access requirements that a user identity must contain are the following fields:

• User's Last Name
• User's First Name
• User's Phone Number
• User's E-mail Address
• User's Federation ID
• User's Home Organization Name
• User's Identity Provider Name

The above fields are typically used for auditing purposes by a Service Provider to meet the "Federation Login" requirement. Because these attributes do not assert any permissions or privileges, a user identity that contains only the above attributes typically will not be granted access to any law enforcement resources.