Thursday 3 May 2012

Is there a spreadsheet/template for Mapping WebServices Authorization Rules?

What is the best way to map/document the Authorization Rules? (for example of WebServices)

I'm looking for a spreadsheet/template that allows the business-rules (i.e. 'who has access to what') to be mapped, visualized and analyzed.

I looked at owasp.org and this is what I found (did I missed something?)

In the past I have created a couple of these (some even with O2 Automation), but NDAs prevented me from sharing. So today, since I'm helping Arvind to create a set of Python scripts to test TeamMentor's WebServices, I took the time to create a model which I think came out quite well.

You can read about it here: Creating a spreadsheet with WebService's Authorization Mappings and this is what it looks like:


Inline images 1 

Since I'm going to integrate this with O2 next, it is better to change it into a better format/standard now (vs later).

I also think that we should have a couple of these templates in an easy to consume format on the OWASP WIki (I have lost count the amount of times that I have tried to explain the need for 'such authorization tables/mappings' without having good examples at hand).

Note that creating these mappings is just one part of the puzzle! Also as important is the ability to keep it well maintained, up-to-date and relevant.