Changes between Version 75 and Version 76 of Internal/Rbac/OrbitRbacDesign
- Timestamp:
- Sep 11, 2006, 7:36:31 PM (18 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Internal/Rbac/OrbitRbacDesign
v75 v76 13 13 14 14 Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sdarticle.pdf AMH06]]. 15 16 Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implemention of a user-pull architectured, web-based workflow system in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]].17 15 18 16 Poole, et. al., discuss a POSIX and a PC demo of RBAC in health care applications [[http://hissa.ncsl.nist.gov/rbac/poole/ir5820/nistir5820.htm PBBE95]]. … … 65 63 66 64 === Design Issues === 67 In [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]] Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] . They classify these architectures based on "Who pulls the user's attributes?" In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes. In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes." 65 In [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]] Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] . They classify these architectures based on "Who pulls the user's attributes?" In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes. In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes." LDAP may be used in either approach [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]]. 68 66 69 It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues. If it decided otherwise to use a user-pull architecture, secure cookies and . Park discusses secure cookies and secure attribute services on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]].67 It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues. If it decided otherwise to use a user-pull architecture, secure cookies and secure X.509 certificates are the two methods used. Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implemention of a user-pull architectured, web-based workflow system in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]]. Park discusses secure cookies and secure attribute services on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]]. 70 68 71 69 This design assumes that user authentication will be handled separately and will be reliable. It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others. These two assumptions allow a person to be related to a user id.