wiki:Internal/Rbac/OrbitRbacDesign

Version 43 (modified by hedinger, 18 years ago) ( diff )

Table of Contents

    1. Role-Based Access Control
    1. RBAC Reference Model
    1. ORBIT RBAC Design
      1. Background
      2. RBAC Research for Implementation
      3. Design Issues
        1. ORBIT Design Goals and Threats
        1. Auditing Tools
        1. Consistency Checking
        1. NIST RBAC Software
        1. Solaris RBAC Software
        1. OASIS RBAC
        1. Designing Using Wiki
        1. Open Issues
    1. LDAP client / server implementation on ORBIT and WINLAB
    2. LDAP Resources
    3. LDAP References
    1. RBAC Resources
    2. RBAC References

ORBIT RBAC Design

Background

Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06 contains an anlaysis of each of the roles in which an ORBIT user might act when working on an ORBIT project. The analysis is based on use cases http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01 http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97 and contains a permissions matrix with access granted or not granted for each role and resource combination.

RBAC Research for Implementation

There is one book http://www.amazon.com/gp/product/1580533701/ FKC03 and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implemenation of role-based access control for ORBIT. Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints. The following sources discuss RBAC implementation issues.

Ahn and Hong discuss a Linux implementation that uses UNIX groups to implement Static Separation of Duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/WOSIS2004.pdf AH04.

Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sdarticle.pdf AMH06.

Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implemention of a user-pull architectured, web-based workflow system in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00.

Poole, et. al., discuss a POSIX and a PC demo of RBAC in health care applications http://hissa.ncsl.nist.gov/rbac/poole/ir5820/nistir5820.htm PBBE95.

Bartz leveraged LDAP to store RBAC data objects for an internet environment http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p69-bartz.pdf Bar97.

Berry, Bartram and Booth prototyped a collaboration system with shared application views controlled by role-based policies http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p23-berry.pdf BBB05.

Botha and Eloff address dynamic separation of duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/botha.pdf BE01.

Bhatti, Ghafoor, Bertino and Joshi implemented a policy administration process for the XML-based X-GTRBAC architecture http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p187-bhatti.pdf BGBJ05. Bhatti, Joshi, Bertino, and Ghafoor discuss a Java-based application with dynamic XML-based Web services http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ICWS_2003.pdf BJBG03. Bhatti, Joshi, Bertino, and Ghafoor address decentralized administration of enterprise-wide access a control http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p78-bhatti.pdf BJBG04, and Bhatti, Shafiq, Bertino, Ghafoor, and Joshi update the progress on these implementations in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p388-bhatti.pdf BSBE05.

Brooks discusses the Tivoli implementin of RBAC in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p71-brooks.pdf Bro99.

Brucker, Rittinger, and Wolff implemented RBAC in a CVS-Server case study http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/brucker02cvsserver.pdf BRW02, and Brucker and Wolff further describe it in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fmics_03.pdf BW03.

Brostoff, Sasse, Chadwick, Cunningham, Mbanaso, and Otenko descibe the implementation of a lightweight role-based access control policy authoring tool "R-What?" in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/rwhat.pdf BSCE05.

Chandramouli describes the specification and validation of an XML-based enterprise access control model in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/access_validate.pdf Cha03.

Design Issues

In http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01 Park, Ahn and Sandhu write "Park and Sandhu identified two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b . They classified these architectures based on "Who pulls the user's attributes?" In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes. In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes." It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues.

This design assumes that user authentication will be handled separately and will be reliable. It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others. These two assumptions allow a person to be related to a user id.

It is assumed that access control is only related to scheduling in so far as respecting time limits for access to the grid or sandboxes.

It is assumed that access control will not need to interact with cost accounting. It is assumed that any denial of access to overdrawn users will be enforced by user authentication.

If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.

Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files?

Note: See TracWiki for help on using the wiki.