Changes between Version 67 and Version 68 of Internal/Rbacinternal


Ignore:
Timestamp:
Aug 23, 2006, 8:52:57 PM (18 years ago)
Author:
hedinger
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Internal/Rbacinternal

    v67 v68  
    11= LDAP and RBAC =
    2 In normal, scheduled operation, ORBIT security involves making sure that each person using an ORBIT resource is allowed to do so at that time.  The Lightweight Directory Access Protocol (LDAP) is used by ORBIT to ''authenticate'' each user's password when he or she logs into an ORBIT controller or server.  LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user.  A single person may have one or more ORBIT user id's.  Each ORBIT user id may be logged into one or more sessions, and during each session there may be multiple computer processes initiated by the user.  A ''process'' is an instance of a user running an application program like a spreadsheet, editor or browser.
     2In normal, scheduled operation, ORBIT security involves making sure that each person using an ORBIT resource is allowed to do so at that time.  kwd by ORBIT to ''authenticate'' each user's password when he or she logs into an ORBIT controller or server.  LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user.  A single person may have one or more ORBIT user id's.  Each ORBIT user id may be logged into one or more sessions, and during each session there may be multiple computer processes initiated by the user.  A ''process'' is an instance of a user running an application program like a spreadsheet, editor or browser.
    33
    44Role-Based Access Control (RBAC) will be used by ORBIT to ''control'' each user's ''access'' to ORBIT resources based on his or her ''role''.  To explain this use of roles, first some terminology.  When a user runs an application program that process acts on behalf of the user and is referred to as a ''subject''.  An ''object'' is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database.  An ''operation'' is an active part of a process invoked by the subject process much like a function call or a method invocation.  In general, a ''permission'' or privilege is the authorization to perform some action on the system.  In RBAC, a permission is the authorization to perform a given operation on a given object.  The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources.  Users are assigned to one or more roles.  Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user acting in that role to access a given object.
     
    1515
    1616
    17 = References =
    18 
    19 == LDAP Version 2 documents in Adobe Acrobat (.pdf) format ==
    20 
    21   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1777.txt.pdf RFC1777  Lightweight Directory Access Protocol]]
    22 
    23   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1778.txt.pdf RFC1778  The String Representation of Standard Attribute Syntaxes]]
    24 
    25   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1779.txt.pdf RFC1779  A String Representation of Distinguished Names]]
    26 
    27   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1959.txt.pdf RFC1959  An LDAP URL format]]
    28 
    29   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1960.txt.pdf RFC1960  A String Representation of LDAP Search Filters]]
    30 
    31   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1823.txt.pdf RFC1823  The LDAP Application Program Interface (C language API)]]
    32 
    33   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2596.txt.pdf RFC2596  Use of Language Codes in LDAP]]
    34        
    35 
    36 == LDAP Version 3 Documents ==
    37 
    38   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4510.txt.pdf RFC4510  LDAP: Technical Specification Road Map]]
    39 
    40   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4511.txt.pdf RFC4511  LDAP: The Protocol]]
    41 
    42   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4512.txt.pdf RFC4512  LDAP: Directory Information Models]]
    43 
    44   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4513.txt.pdf RFC4513  LDAP: Authentication Methods and Security Mechanisms]]
    45 
    46   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4514.txt.pdf RFC4514  LDAP: String Representation of Distinguished Names]]
    47 
    48   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4515.txt.pdf RFC4515  LDAP: String Representation of Search Filters]]
    49 
    50   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4516.txt.pdf RFC4516  LDAP: Uniform Resource Locator]]
    51 
    52   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4517.txt.pdf RFC4517  LDAP: Syntaxes and Matching Rules]]
    53 
    54   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4518.txt.pdf RFC4518  LDAP: Internationalized String Preparation]]
    55 
    56   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4519.txt.pdf RFC4519  LDAP: Schema for User Applications]]
    57 
    58 == LDAP Data Interchange Format (LDIF) ==
    59 
    60   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2849.txt.pdf RFC2849  The LDAP Data Interchange Format (LDIF)]]
    61 
    62   [[ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4525.txt.pdf RFC4525  Lightweight Directory Access Protocol (LDAP) Modify-Increment Extension]]
    63 
    64 
    65 == Role-Based Access Control (RBAC) Documents ==
    66 
    6717