Version 54 (modified by 18 years ago) ( diff ) | ,
---|
LDAP and RBAC
At the user level, Orbit security involves making sure that each person using Orbit is allowed to do so at that time, and when he or she uses Orbit that he or she only uses those parts of it that he or she is allowed to use. That is, there are two parts to Orbit security: authenticating users and controlling their access to Orbit resources.
The Lightweight Directory Access Protocol (LDAP) is used by Orbit to authenticate each user's password when he or she logs into an Orbit controller or server. LDAP authentication and the proper use of Orbit user id's and passwords allows each user id to be related to a single human user. A single person may have one or more Orbit user id's. Each Orbit user id may be logged into one or more sessions, and during each session there may be multiple computer processes initiated by the user. A process is an instance of a user running an application program like a spreadsheet, editor or browser.
Role-Based Access Control (RBAC) will be used by Orbit to control each user's access to Orbit resources based on his or her role. To explain this use of roles, first some terminology. When a user runs an application program that process acts on behalf of the user and is referred to as a subject. An object is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database. An operation is an active part of a process invoked by the subject process much like a function call or a method invocation. In general, a permission or privilege is the authorization to perform some action on the system. In RBAC, a permission is the authorization to perform a given operation on a given object. The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are perhaps only a hundred different roles they act in at any given time to access resources. Users are assigned to one or more roles. Each role has a defined set of permissions, each for an operation invoked by a process run by a user acting in that role to access a given object.
As with any access control mechanism, role-based access control will have some performance penalties. Role-based access control should provide sufficiently flexible control with acceptable performance for reasonable administrative cost. In ORBIT, role-based access control will be implemented using mechanisms provided by LDAP. It is expected that this implementation will have acceptable performance while providing the desired security.
References
LDAP Version 2 documents
RFC1777 Lightweight Directory Access Protocol ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1777.txt.pdf RFC1777
RFC1778 The String Representation of Standard Attribute Syntaxes ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1778.txt.pdf RFC1778
RFC1779 A String Representation of Distinguished Names ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1779.txt.pdf RFC1779
RFC1959 An LDAP URL format ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1959.txt.pdf RFC1959
RFC1960 A String Representation of LDAP Search Filters ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1960.txt.pdf RFC1960
RFC1823 The LDAP Application Program Interface (C language API) ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1823.txt.pdf RFC1823
RFC 2596 Use of Language Codes in LDAP ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2596.txt.pdf RFC2596
LDAP Version 3 Documents
RFC4510 LDAP: Technical Specification Road Map ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4510.txt.pdf RFC4510
RFC4511 LDAP: The Protocol ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4511.txt.pdf RFC4511
RFC4512 LDAP: Directory Information Models ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4512.txt.pdf RFC4512
RFC4513 LDAP: Authentication Methods and Security Mechanisms ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4513.txt.pdf RFC4513
RFC4514 LDAP: String Representation of Distinguished Names ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4514.txt.pdf RFC4514
RFC4515 LDAP: String Representation of Search Filters ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4515.txt.pdf RFC4515
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4516.txt.pdf RFC4516 LDAP: Uniform Resource Locator
RFC4517 LDAP: Syntaxes and Matching Rules ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4517.txt.pdf RFC4517
RFC4518 LDAP: Internationalized String Preparation ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4518.txt.pdf RFC4518
RFC4519 LDAP: Schema for User Applications ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4519.txt.pdf RFC4519
Role-Based Access Control (RBAC) Documents
ftp://orbit-lab.org/internal3/826869.pdf KBME03 Anas Abou El Kalam, Salem Benferhat, Alexandre Miège, Rania El Baida, Frédéric Cuppens, Claire Saurel, Philippe Balbiani, Yves Deswarte, and Gilles Trouessin. Organization Based Access Control. In POLICY '03: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, page 120, Washington, DC, USA, 2003. IEEE Computer Society.
ftp://orbit-lab.org/internal3/1133079.pdf SLS06 Andreas Schaad, Volkmar Lotz, and Karsten Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 139—149, New York, NY, USA, 2006. ACM Press.
ftp://orbit-lab.org/internal3/sandhu98how.pdf SM98 Ravi S. Sandhu and Qamar Munawer. How to do Discretionary Access Control Using Roles. In ACM Workshop on Role-Based Access Control, pages 47—54, 1998.
ftp://orbit-lab.org/internal3/784768.pdf SM02a Andreas Schaad and Jonathan D. Moffett. A framework for organisational control principles. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, page 229, Washington, DC, USA, 2002. IEEE Computer Society. first 20 pages only.
ftp://orbit-lab.org/internal3/schaad-lightweight.pdf SM02b Andreas Schaad and Jonathan D. Moffett. A lightweight approach to specification and analysis of role-based access control extensions. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 13—22, New York, NY, USA, 2002. ACM Press.
ftp://orbit-lab.org/internal3/968177.pdf SM04 Andreas Schaad and Jonathan Moffett. Separation, review and supervision controls in the context of a credit application process — a case study of organisational control principles. In SAC '04: Proceedings of the 2004 ACM symposium on Applied computing, pages 1380—1384, New York, NY, USA, 2004. ACM Press.
ftp://orbit-lab.org/internal3/1015043.pdf SN04 Mark Strembeck and Gustaf Neumann. An integrated approach to engineer and enforce context constraints in RBAC environments. ACM Trans. Inf. Syst. Secur., 7(3):392—427, 2004.
ftp://orbit-lab.org/internal3/spenglergrsecurity.pdf Spe04 Bradley Spengler. Increasing Performance and Granularity in Role-Based Access Control Systems — A Case Study in GRSECURITY. Technical report, OpenOffice.org, May 2004.
ftp://orbit-lab.org/internal3/1133082.pdf Sre06 Vugranam C. Sreedhar. Data-centric security: role analysis and role typestates. In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 170—179, New York, NY, USA, 2006. ACM Press.
ftp://orbit-lab.org/internal3/1066976.pdf SSW05 Andreas Schaad, Pascal Spadone, and Helmut Weichsel. A case study of separation of duty properties in the context of the Austrian "eLaw" process. In SAC '05: Proceedings of the 2005 ACM symposium on Applied computing, pages 1328—1332, New York, NY, USA, 2005. ACM Press.
ftp://orbit-lab.org/internal3/1057979.pdf TAPH05 William Tolone, Gail-Joon Ahn, Tanusree Pai, and Seng-Phil Hong. Access control in collaborative systems. ACM Comput. Surv., 37(1):29—41, 2005.
ftp://orbit-lab.org/internal3/1133072.pdf WO06 He Wang and Sylvia L. Osborn. Delegation in the role graph model. In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 91—100, New York, NY, USA, 2006. ACM Press.
Attachments (2)
- rfc4510.txt.pdf (9.7 KB ) - added by 18 years ago.
- ANSI+INCITS+359-2004.pdf (356.3 KB ) - added by 18 years ago.
Download all attachments as: .zip