[[TOC(Internal/Rbac, Internal/Rbac/OrbitRbacLevels, Internal/Rbac/OrbitRbacDesign, Internal/Rbac/OrbitRbacDesign/ThreatAnalysis, Internal/Rbac/OrbitRbacDesign/AuditingTools, Internal/Rbac/OrbitRbacDesign/ConsistencyChecking, Internal/Rbac/OrbitRbacDesign/NistRbacSoftware, Internal/Rbac/OrbitRbacDesign/SolarisRbac, Internal/Rbac/OrbitRbacDesign/OasisRbac, Internal/Rbac/OrbitRbacDesign/DesignByWiki, Internal/Rbac/OrbitRbacDesign/OpenIssues, Internal/Rbac/LdapResources, Internal/Rbac/RbacResources)]] == ORBIT RBAC Design == === Background === Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06]] contains an anlaysis of each of the roles in which an ORBIT user might act when working on an ORBIT project. The analysis is based on use cases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97]] and contains a permissions matrix with access granted or not granted for each role and resource combination. === RBAC Research for Implementation === There is one book [[http://www.amazon.com/gp/product/1580533701/ FKC03]] and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implemenation of role-based access control for ORBIT. Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints. Some of the papers address administrative issues. The following sources discuss RBAC implementation issues. Ferraiolo, Barkley, and Kuhn's paper discusses RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web within a corporate intranet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p34-ferraiolo.pdf FBK99]]. Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p12-ferraiolo.pdf FCAG03]]. Georgiadis, Mavridis, Pangalos, and Thomas discuss the use of contextual information with team-based access control for collaborative activities best accomplished by teams of users. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are derived from permission types defined for roles that the user belongs to. [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p21-georgiadis.pdf GMPT01]]. This work is based on that of Thomas [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-thomas.pdf Tho97]]. Ahn and Hong discuss a Linux implementation that uses UNIX groups to implement Static Separation of Duty [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/WOSIS2004.pdf AH04]]. Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sdarticle.pdf AMH06]]. Poole, et. al., discuss a POSIX and a PC demo of RBAC in health care applications [[http://hissa.ncsl.nist.gov/rbac/poole/ir5820/nistir5820.htm PBBE95]]. Bartz leveraged LDAP to store RBAC data objects for an internet environment [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p69-bartz.pdf Bar97]]. Berry, Bartram and Booth prototyped a collaboration system with shared application views controlled by role-based policies [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p23-berry.pdf BBB05]]. Botha and Eloff address dynamic separation of duty [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/botha.pdf BE01]]. Bhatti, Ghafoor, Bertino and Joshi implemented a policy administration process for the XML-based X-GTRBAC architecture [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p187-bhatti.pdf BGBJ05]]. Bhatti, Joshi, Bertino, and Ghafoor discuss a Java-based application with dynamic XML-based Web services [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ICWS_2003.pdf BJBG03]]. Bhatti, Joshi, Bertino, and Ghafoor address decentralized administration of enterprise-wide access a control in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p78-bhatti.pdf BJBG04]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01355921.pdf JBBG04]], and Bhatti, Shafiq, Bertino, Ghafoor, and Joshi update the progress on these implementations in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p388-bhatti.pdf BSBE05]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01453534.pdf JBG05]]. Brooks discusses the Tivoli implementin of RBAC in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p71-brooks.pdf Bro99]]. Brucker, Rittinger, and Wolff implemented RBAC in a CVS-Server case study [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/brucker02cvsserver.pdf BRW02]], and Brucker and Wolff further describe it in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fmics_03.pdf BW03]]. Brostoff, Sasse, Chadwick, Cunningham, Mbanaso, and Otenko descibe the implementation of a lightweight role-based access control policy authoring tool "R-What?" in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/rwhat.pdf BSCE05]]. Chandramouli describes a framework for multiple authorization types in a healthcare application in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/chandramouli01framework.pdf Cha01]], and in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ACM_XML_Paper_Final.pdf Cha00]] Chandramouli describes the specification and validation of an XML-based enterprise access control model, and in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/access_validate.pdf Cha03]] Chandramouli extends this work to annotating XML schema for policy contraints. Chou describes a Java-based implemention of RBAC with dynamic role switching [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2143.pdf Cho05]]. Chadwick and Otenko implemented the PERMIS X.509 role-based privilege management infrastructure using Java, XML and LDAP [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p135-chadwick.pdf CO02a]], [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/chadwickRBAC509.pdf CO02b]], and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Sec2002Final.pdf CO02c]]. Chadwick, Otenko, and Ball also describe this implementation [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/InternetComputingPaperv4.pdf COB04]]. Caelli and Rhodes describe a Windows NT 4.0 implementation of RBAC [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-005.pdf CR99a]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-003.pdf CR99b]]. Demchenko, Gommans, Tokmakoff, van Buuren, and de Laut develop a grid-based collaobrative secruity policy compatible with the Globus toolkit [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/cts2006-oce-dynamic-access-control-05.pdf DGTE06]]. Fernandez specifies and describes a case study of RBAC in Enterprise Dynamic Access Control for the United States Pacific Fleet {[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACcase-study.pdf Fer05a]], [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACcompliance.pdf Fer05b]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACv2overview.pdf Fer06]]. Gao, Deng, Yu, He, Beznosov, and Cooper applied AspectJ to a CORBA access control design using extended UML [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/gao-etal-2004.pdf GDYE04]]. Pavlich-Mariscal, Michel, and Demurjian used Borlnd's UML tool to implement aspect-oriented RBAC enforcement code [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/rbacaspect.pdf PMMD05]]. Giuri describes an implementation of RBAC on the Web Using Java [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p11-giuri.pdf Giu99]]. Hoffman describes implementing RBAC on a type-enforced, secure system [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/00646185.pdf Hof97]]. Manuel Holtgrewe has developed a Ruby on Rails library available under the MIT license that supports some levels of RBAC. ActiveRBAC 0.3.1 did not support dyanmic access control [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ActiveRbacManual.pdf Hol06]]. This project uses Trac and has a wiki manual [[https://activerbac.turingstudio.com/trac/wiki/Manual ActiveRBAC manual]]. Kane and Browne in a recent paper classify access control implementations for distributed systems [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p29-kane.pdf KB06]]. Kern, Schaad, and Moffett describe the Enterprise Role-Based Access Control Model (ERBAC) and its implementatin in commercial enterprise security management software SAM Jupiter [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p3-kern.pdf KSM03]]. Marston describes radicore, an RBAC system for PHP at [[http://www.tonymarston.net/php-mysql/role-based-access-control.html Mar04]]. This Rapid Application Development Toolkit for building administrative Web applications is distributed under the GNU General Public License. Neumann and Strembeck discuss the design and implementation of an RBAC service in an object-oriented scripting language XOTcl [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/neumann01design.pdf NS01]]. Obelheiro and Fraga implemented a prototype system with two CORBA servers and a Java client applet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01000036.pdf OF02]]. === Design Issues === In [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]] Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] . They classify these architectures based on "Who pulls the user's attributes?" In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes. In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes." LDAP may be used in either approach [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01]]. It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues. If it decided otherwise to use a user-pull architecture, secure cookies and smart X.509 certificates [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1-park.pdf PS99a]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00binding.pdf PS00a]] are the two methods used. Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implemention of a user-pull architectured, web-based workflow system in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]]. Park discusses secure cookies and secure attribute services on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]]. This design assumes that user authentication will be handled separately and will be reliable. It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others. These two assumptions allow a person to be related to a user id. It is assumed that access control is only related to scheduling in so far as respecting time limits for access to the grid or sandboxes. It is assumed that access control will not need to interact with cost accounting. It is assumed that any denial of access to overdrawn users will be enforced by user authentication. If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it. Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files? * [wiki:Internal/Rbac/OrbitRbacDesign/ThreatAnalysis Threat Analysis for ORBIT] * [wiki:Internal/Rbac/OrbitRbacDesign/AuditingTools RBAC Logging and Auditing Tools for ORBIT] * [wiki:Internal/Rbac/OrbitRbacDesign/ConsistencyChecking Consistency Checking Tools for ORBIT] * [wiki:Internal/Rbac/OrbitRbacDesign/NistRbacSoftware RBAC Software from NIST] * [wiki:Internal/Rbac/OrbitRbacDesign/SolarisRbac Solaris Implementation of RBAC] * [wiki:Internal/Rbac/OrbitRbacDesign/OasisRbac OASIS Implementation of RBAC] * [wiki:Internal/Rbac/OrbitRbacDesign/DesignByWiki Issues on Design Using Wiki] * [wiki:Internal/Rbac/OrbitRbacDesign/OpenIssues Open Issues in the RBAC Design for ORBIT]