Changes between Version 126 and Version 127 of Internal/Rbac/OrbitRbacDesign


Ignore:
Timestamp:
Sep 18, 2006, 8:36:54 PM (18 years ago)
Author:
hedinger
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Internal/Rbac/OrbitRbacDesign

    v126 v127  
    33=== Previous Work ===
    44Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06]] contains an analysis of each of the roles in which an ORBIT user might act when working on an ORBIT project.  The analysis is based on use cases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97]] and contains a permissions matrix with access granted or not granted for each role and resource combination.
     5=== Design Issues ===
     6In  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]] Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] .  They classify these architectures based on "Who pulls the user's attributes?"  In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes.  In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes."  LDAP may be used in either approach [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]].
     7
     8It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues.  If it decided otherwise to use a user-pull architecture, secure cookies [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00secure.pdf PS00b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park99rbac.pdf PSG99]] and smart X.509 certificates [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1-park.pdf PS99a]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00binding.pdf PS00a]] are the two methods used.  Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implementation of a user-pull architected, web-based workflow system in  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]].
     9
     10Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p37-park.pdf PSA01]].  Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01045125.pdf SAP02]].  Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-damiani.pdf DDPS00]].
     11
     12
     13This design assumes that user authentication will be handled separately and will be reliable.  It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others.  These two assumptions allow a person to be related to a user id.
     14
     15It is assumed that access control is only related to scheduling in so far as respecting time limits for access to the grid or sandboxes.
     16
     17It is assumed that access control will not need to interact with cost accounting.  It is assumed that any denial of access to overdrawn users will be enforced by user authentication.
     18
     19If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.
     20
     21Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files?
     22
     23 * [wiki:Internal/Rbac/OrbitRbacDesign/ThreatAnalysis Threat Analysis for ORBIT]
     24 * [wiki:Internal/Rbac/OrbitRbacDesign/AuditingTools RBAC Logging and Auditing Tools for ORBIT]
     25 * [wiki:Internal/Rbac/OrbitRbacDesign/ConsistencyChecking Consistency Checking Tools for ORBIT]
     26 * [wiki:Internal/Rbac/OrbitRbacDesign/NistRbacSoftware RBAC Software from NIST]
     27 * [wiki:Internal/Rbac/OrbitRbacDesign/SolarisRbac Solaris Implementation of RBAC]
     28 * [wiki:Internal/Rbac/OrbitRbacDesign/OasisRbac OASIS Implementation of RBAC]
     29 * [wiki:Internal/Rbac/OrbitRbacDesign/DesignByWiki Issues on Design Using Wiki]
     30 * [wiki:Internal/Rbac/OrbitRbacDesign/OpenIssues Open Issues in the RBAC Design for ORBIT]
     31
    532=== RBAC Research for Implementation ===
    633There is one book [[http://www.amazon.com/gp/product/1580533701/ FKC03]] and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implementation of role-based access control for ORBIT.  Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints.  Some of the papers address administrative issues.  The following sources discuss RBAC implementation issues.
     
    86113Masood, Ghafoor, and Mathur present "scalable and effective test generation for access control systems that employ RBAC policies in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2006-24.pdf MGM06]], and Masood, Bhatti, Gahfoor, and Mathur previously dexribed "model-based testing of access control systems that employ RBAC policies in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2005-62.pdf MBGM05]].
    87114
    88 === Design Issues ===
    89 In  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]] Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] .  They classify these architectures based on "Who pulls the user's attributes?"  In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes.  In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes."  LDAP may be used in either approach [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]].
    90 
    91 It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues.  If it decided otherwise to use a user-pull architecture, secure cookies [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00secure.pdf PS00b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park99rbac.pdf PSG99]] and smart X.509 certificates [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1-park.pdf PS99a]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00binding.pdf PS00a]] are the two methods used.  Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implementation of a user-pull architected, web-based workflow system in  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]].
    92 
    93 Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p37-park.pdf PSA01]].  Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01045125.pdf SAP02]].  Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-damiani.pdf DDPS00]].
    94 
    95 
    96 This design assumes that user authentication will be handled separately and will be reliable.  It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others.  These two assumptions allow a person to be related to a user id.
    97 
    98 It is assumed that access control is only related to scheduling in so far as respecting time limits for access to the grid or sandboxes.
    99 
    100 It is assumed that access control will not need to interact with cost accounting.  It is assumed that any denial of access to overdrawn users will be enforced by user authentication.
    101 
    102 If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.
    103 
    104 Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files?
    105 
    106  * [wiki:Internal/Rbac/OrbitRbacDesign/ThreatAnalysis Threat Analysis for ORBIT]
    107  * [wiki:Internal/Rbac/OrbitRbacDesign/AuditingTools RBAC Logging and Auditing Tools for ORBIT]
    108  * [wiki:Internal/Rbac/OrbitRbacDesign/ConsistencyChecking Consistency Checking Tools for ORBIT]
    109  * [wiki:Internal/Rbac/OrbitRbacDesign/NistRbacSoftware RBAC Software from NIST]
    110  * [wiki:Internal/Rbac/OrbitRbacDesign/SolarisRbac Solaris Implementation of RBAC]
    111  * [wiki:Internal/Rbac/OrbitRbacDesign/OasisRbac OASIS Implementation of RBAC]
    112  * [wiki:Internal/Rbac/OrbitRbacDesign/DesignByWiki Issues on Design Using Wiki]
    113  * [wiki:Internal/Rbac/OrbitRbacDesign/OpenIssues Open Issues in the RBAC Design for ORBIT]