wiki:Internal/Rbac/OrbitRbacDesign

Version 142 (modified by hedinger, 18 years ago) ( diff )

ORBIT RBAC Design

Previous Work

Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06 contains an analysis of each of the roles in which an ORBIT user might act when working on an ORBIT project. The analysis is based on use cases http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01 and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97, and the specification contains a permissions matrix with access granted or not granted for each role and resource combination.

Design Issues

In http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01 Park, Ahn and Sandhu write "Park and Sandhu identify and describe two different approaches for obtaining a user's attributes on the Web: user-pull and server-pull architectures http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b . They classify these architectures based on "Who pulls the user's attributes?" In the user-pull architecture, the user pulls her attributes from the attribute server then presents them to the Web servers, which use those attributes for their purposes. In the server-pull architecture, each Web server pulls user's attributes from the attribute server as needed and uses them for its purposes." LDAP may be used in either approach http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i01-kluwer01-jpark.pdf PAS01.

It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues.

This design assumes that user authentication will be handled separately and will be reliable. It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others. These two assumptions allow a person to be related to a user id.

It is assumed that access control will not interact with scheduling that is currently based on users not projects.

It is assumed that access control will not need to interact with cost accounting. It is assumed that any denial of access to overdrawn users will be enforced by user authentication. If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.

Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files?

Research for Implementation

There is one book http://www.amazon.com/gp/product/1580533701/ FKC03 and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implementation of role-based access control for ORBIT. Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints. Some of the papers address administrative issues. The following sources discuss RBAC implementation issues.

Ferraiolo, Barkley, and Kuhn's paper describes the features of RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web NIST RBAC Software within a corporate intranet http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p34-ferraiolo.pdf FBK99. Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p12-ferraiolo.pdf FCAG03.

Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p37-park.pdf PSA01. Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01045125.pdf SAP02. Zhang, Park, and Sandhu describe a schema-based XML security approach for RBAC in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schema-based-xml-security.pdf ZPS03. Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-damiani.pdf DDPS00.

Had it been decided to use a user-pull architecture, secure cookies http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99 http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00secure.pdf PS00b http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park99rbac.pdf PSG99 and smart X.509 certificates http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1-park.pdf PS99a http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00binding.pdf PS00a are the two methods used. Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implementation of a user-pull in a web-based workflow system in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00.

Georgiadis, Mavridis, Pangalos, and Thomas discuss the use of contextual information with team-based access control for collaborative activities best accomplished by teams of users. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are derived from permission types defined for roles that the user belongs to. http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p21-georgiadis.pdf GMPT01. This work is based on that of Thomas http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-thomas.pdf Tho97 and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i97tbac.pdf TS98.

Ahn and Hong discuss a Linux implementation that uses UNIX groups to implement Static Separation of Duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/WOSIS2004.pdf AH04.

Spengler addresses performance and granularity issues in RBAC for Linux in a case study in GRSECURITY http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/researchpaper.pdf Spe04.

Hallyn and Kearns illustrate the domain and type enforcement approach for Linux http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/hallyn.pdf HK00.

Gustafsson, Deligny, and Shahmehri used NFS to implement RBAC http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/00630829.pdf GDS97.

Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sdarticle.pdf AMH06.

Poole, et. al., discuss a POSIX and a PC demo of RBAC in health care applications http://hissa.ncsl.nist.gov/rbac/poole/ir5820/nistir5820.htm PBBE95.

Bartz leveraged LDAP to store RBAC data objects for an internet environment http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p69-bartz.pdf Bar97.

Berry, Bartram and Booth prototyped a collaboration system with shared application views controlled by role-based policies http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p23-berry.pdf BBB05.

Botha and Eloff address dynamic separation of duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/botha.pdf BE01.

Bhatti, Ghafoor, Bertino and Joshi implemented a policy administration process for the XML-based X-GTRBAC architecture http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p187-bhatti.pdf BGBJ05. Bhatti, Joshi, Bertino, and Ghafoor discuss a Java-based application with dynamic XML-based Web services http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ICWS_2003.pdf BJBG03. Bhatti, Joshi, Bertino, and Ghafoor address decentralized administration of enterprise-wide access a control in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p78-bhatti.pdf BJBG04, http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01355921.pdf JBBG04, and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2004-46.pdf JBBG05, and Bhatti, Shafiq, Bertino, Ghafoor, and Joshi update the progress on these implementations in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p388-bhatti.pdf BSBE05 and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01453534.pdf JBG05.

Brooks discusses the Tivoli implementation of RBAC in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p71-brooks.pdf Bro99.

Brucker, Rittinger, and Wolff implemented RBAC in a CVS-Server case study http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/brucker02cvsserver.pdf BRW02, and Brucker and Wolff further describe it in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fmics_03.pdf BW03.

Brostoff, Sasse, Chadwick, Cunningham, Mbanaso, and Otenko describe the implementation of a lightweight role-based access control policy authoring tool "R-What?" in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/rwhat.pdf BSCE05.

Chandramouli describes a framework for multiple authorization types in a healthcare application in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/chandramouli01framework.pdf Cha01, and in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ACM_XML_Paper_Final.pdf Cha00 Chandramouli describes the specification and validation of an XML-based enterprise access control model, and in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/access_validate.pdf Cha03 Chandramouli extends this work to annotating XML schema for policy constraints.

Chou describes a Java-based implementation of RBAC with dynamic role switching http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2143.pdf Cho05.

Chadwick and Otenko implemented the PERMIS X.509 role-based privilege management infrastructure using Java, XML and LDAP http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p135-chadwick.pdf CO02a, http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/chadwickRBAC509.pdf CO02b, and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Sec2002Final.pdf CO02c. Chadwick, Otenko, and Ball also describe this implementation http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/InternetComputingPaperv4.pdf COB04.

Caelli and Rhodes describe a Windows NT 4.0 implementation of RBAC http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-005.pdf CR99a and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-003.pdf CR99b.

Demchenko, Gommans, Tokmakoff, van Buuren, and de Laut developed a grid-based collaborative security policy compatible with the Globus toolkit http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/cts2006-oce-dynamic-access-control-05.pdf DGTE06.

Fernandez specifies and describes a case study of RBAC in Enterprise Dynamic Access Control for the United States Pacific Fleet {Fer05a], http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACcompliance.pdf Fer05b and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACv2overview.pdf Fer06.

Gao, Deng, Yu, He, Beznosov, and Cooper applied AspectJ to a CORBA access control design using extended UML http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/gao-etal-2004.pdf GDYE04. Pavlich-Mariscal, Michel, and Demurjian used Borlnd's UML tool to implement aspect-oriented RBAC enforcement code http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/rbacaspect.pdf PMMD05.

Giuri describes an implementation of RBAC on the Web Using Java http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p11-giuri.pdf Giu99.

Hoffman describes implementing RBAC on a type-enforced, secure commercial system http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/00646185.pdf Hof97.

Holtgrewe developed a Ruby on Rails library available under the MIT license that supports some levels of RBAC. ActiveRBAC 0.3.1 did not support dynamic access control http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ActiveRbacManual.pdf Hol06. This project uses Trac and has a wiki manual https://activerbac.turingstudio.com/trac/wiki/Manual ActiveRBAC manual.

Kane and Browne in a recent paper classify access control implementations for distributed systems http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p29-kane.pdf KB06.

Kern, Schaad, and Moffett describe the Enterprise Role-Based Access Control Model (ERBAC) and its implementation in commercial enterprise security management software SAM Jupiter http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p3-kern.pdf KSM03.

Marston describes radiCore, an RBAC system for PHP at http://www.tonymarston.net/php-mysql/role-based-access-control.html Mar04. This Rapid Application Development Toolkit for building administrative Web applications is distributed under the GNU General Public License.

Obelheiro and Fraga implemented a prototype RBAC system with two CORBA servers and a Java client applet http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01000036.pdf OF02.

Ryutov, Neuman, Kim, and Zhou discuss integrating intrusion detection with access control for Web servers for a number of implementations http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01233707.pdf RNKZ03.

Shin, Ahn, Cho, and Jin describe RolePartner, "a system whose purpose is to help manage a valid set of roles with assigned users and permissions for role-based authorization infrastructures. An LDAP-accessible directory service was used for a role database." It supports only static separation of duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1121-shin.pdf SACJ04.

Sandhu and Bhamidipati discuss the implementation of the RBAC administrative model URA97 and its implementation in the Oracle database management system despite the model being quite different from the one built into Oracle http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sandhu98rolebasedURA97.pdf SB99.

Squair, Jamhour, and Nabhen describe an RBAC-based Policy Information Base (PIB) based on the provisioning strategy defined by IETF http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01454316.pdf SJN05.

Schaad, Lotz, and Sohr describe a model-checking approach to analyze organizational controls in a loan origination process http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p139-schaad.pdf SLS06, see also a case study of a credit application http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schaad03framework.pdf Sch03, http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01176294.pdf SM02a, http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-schaad.pdf SM02b, and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1380-schaad.pdf SM04 and http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1328-schaad.pdf SSW05 for a case study of an "eLaw" Process.

Schaad, Moffett, and Jacob did a case study of the RBAC system of a European Bank http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p3-schaad.pdf SMJ01.

Wainer, Barthelmess, and Kumar discuss a Prolog implementation of a workflow security model incorporating controlled overriding of constraints http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/wainer01wrbac.pdf WBK01.

Zao, Wee, Chu, and Jackson used ALLOY, a lightweight formal modelling system to develop an RBAC schema debugger http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/RBAC-1.pdf ZWCJ02.

Cholewka, Botha, and Eloff did a prototype implementation of a context-sensitive access control with separation of duty http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_003.pdf CBE00.

Masood, Ghafoor, and Mathur present "scalable and effective test generation for access control systems that employ RBAC policies in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2006-24.pdf MGM06, and Masood, Bhatti, Gahfoor, and Mathur previously described "model-based testing of access control systems that employ RBAC policies in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2005-62.pdf MBGM05.

Appendix B is entitled Configuring LDAP for use with RBAC in the IBM Redbook Administering and Implementing WebSphere Business Integration Server V4.3 http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sg246647.pdf HJLE06.

Note: See TracWiki for help on using the wiki.