Changes between Version 1 and Version 2 of Internal/Rbac/OrbitRbacDesign/ImplementationResearch

Sep 20, 2006, 4:47:28 PM (18 years ago)


  • Internal/Rbac/OrbitRbacDesign/ImplementationResearch

    v1 v2  
    1 ==== Rese  ====
     2==== Research for Implementation ====
     3There is one book [[ FKC03]] and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implementation of role-based access control for ORBIT.  Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints.  Some of the papers address administrative issues.  The following sources discuss RBAC implementation issues.
     5Ferraiolo, Barkley, and Kuhn's paper describes the features of RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web [wiki:Internal/Rbac/OrbitRbacDesign/NistRbacSoftware NIST RBAC Software] within a corporate intranet [[ FBK99]].  Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool [[ FCAG03]].
     8Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in [[ PSA01]].  Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution [[ SAP02]].  Zhang, Park, and Sandhu describe a schema-based XML security approach for RBAC in [[ ZPS03]].  Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents [[ DDPS00]].
     10Had it been decided to use a user-pull architecture, secure cookies [[ Par99]] [[ PS00b]] [[ PSG99]] and smart X.509 certificates [[ PS99a]] [[ PS99b]] [[ PS00a]] are the two methods used.  Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implementation of a user-pull in a web-based workflow system in  [[ ASKP00]].
     13Georgiadis, Mavridis, Pangalos, and Thomas discuss the use of contextual information with team-based access control for collaborative activities best accomplished by teams of users. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are derived from permission types defined for roles that the user belongs to. [[ GMPT01]].  This work is based on that of Thomas [[ Tho97]] and [[ TS98]].
     15Ahn and Hong discuss a Linux implementation that uses UNIX groups to implement Static Separation of Duty [[ AH04]].
     17Spengler addresses performance and granularity issues in RBAC for Linux in a case study in GRSECURITY [[ Spe04]].
     19Hallyn and Kearns illustrate the domain and type enforcement approach for Linux [[ HK00]].
     21Gustafsson, Deligny, and Shahmehri used NFS to implement RBAC [[ GDS97]].
     23Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases [[ AMH06]].
     25Poole, et. al., discuss a POSIX and a PC demo of RBAC in health care applications [[ PBBE95]].
     27Bartz leveraged LDAP to store RBAC data objects for an internet environment [[ Bar97]].
     29Berry, Bartram and Booth prototyped a collaboration system with shared application views controlled by role-based policies [[ BBB05]].
     31Botha and Eloff address dynamic separation of duty [[ BE01]].
     33Bhatti, Ghafoor, Bertino and Joshi implemented a policy administration process for the XML-based X-GTRBAC architecture [[ BGBJ05]].  Bhatti, Joshi, Bertino, and Ghafoor discuss a Java-based application with dynamic XML-based Web services [[ BJBG03]].  Bhatti, Joshi, Bertino, and Ghafoor address decentralized administration of enterprise-wide access a control in [[ BJBG04]], [[ JBBG04]], and [[ JBBG05]], and Bhatti, Shafiq, Bertino, Ghafoor, and Joshi update the progress on these implementations in [[ BSBE05]] and [[ JBG05]].
     35Brooks discusses the Tivoli implementation of RBAC in [[ Bro99]].
     37Brucker, Rittinger, and Wolff implemented RBAC in a CVS-Server case study [[ BRW02]], and Brucker and Wolff further describe it in [[ BW03]].
     39Brostoff, Sasse, Chadwick, Cunningham, Mbanaso, and Otenko describe the implementation of a lightweight role-based access control policy authoring tool "R-What?" in [[ BSCE05]].
     41Chandramouli describes a framework for multiple authorization types in a healthcare application in [[ Cha01]], and in [[ Cha00]] Chandramouli describes the specification and validation of an XML-based enterprise access control model, and in   [[ Cha03]] Chandramouli extends this work to annotating XML schema for policy constraints.
     43Chou describes a Java-based implementation of RBAC with dynamic role switching [[ Cho05]].
     45Chadwick and Otenko implemented the PERMIS X.509 role-based privilege management infrastructure using Java, XML and LDAP [[ CO02a]], [[ CO02b]], and [[ CO02c]].  Chadwick, Otenko, and Ball also describe this implementation [[ COB04]].
     47Caelli and Rhodes describe a Windows NT 4.0 implementation of RBAC [[ CR99a]] and [[ CR99b]].
     49Demchenko, Gommans, Tokmakoff, van Buuren, and de Laut developed a grid-based collaborative security policy compatible with the Globus toolkit [[ DGTE06]].
     51Fernandez specifies and describes a case study of RBAC in Enterprise Dynamic Access Control for the United States Pacific Fleet {[ Fer05a]], [[ Fer05b]] and   [[ Fer06]].
     53Gao, Deng, Yu, He, Beznosov, and Cooper applied AspectJ to a CORBA access control design using extended UML [[ GDYE04]].  Pavlich-Mariscal, Michel, and Demurjian used Borlnd's UML tool to implement aspect-oriented RBAC enforcement code [[ PMMD05]].
     55Giuri describes an implementation of RBAC on the Web Using Java [[ Giu99]].
     57Hoffman describes implementing RBAC on a type-enforced, secure commercial system [[ Hof97]].
     59Holtgrewe developed a Ruby on Rails library available under the MIT license that supports some levels of RBAC.  ActiveRBAC 0.3.1 did not support dynamic access control [[ Hol06]]. This project uses Trac and has a wiki manual [[ ActiveRBAC manual]].
     61Kane and Browne in a recent paper classify access control implementations for distributed systems [[ KB06]].
     63Kern, Schaad, and Moffett describe the Enterprise Role-Based Access Control Model (ERBAC) and its implementation in commercial enterprise security management software SAM Jupiter [[ KSM03]].
     65Marston describes radiCore, an RBAC system for PHP at [[ Mar04]].  This Rapid Application Development Toolkit for building administrative Web applications is distributed under the GNU General Public License.
     67Obelheiro and Fraga implemented a prototype RBAC system with two CORBA servers and a Java client applet [[ OF02]].
     69Ryutov, Neuman, Kim, and Zhou discuss integrating intrusion detection with access control for Web servers for a number of implementations [[ RNKZ03]].
     71Shin, Ahn, Cho, and Jin describe !RolePartner, "a system whose purpose is to help manage a valid set of roles with assigned users and permissions for role-based authorization infrastructures.  An LDAP-accessible directory service was used for a role database."  It supports only static separation of duty [[ SACJ04]].
     73Sandhu and Bhamidipati discuss the implementation of the RBAC administrative model URA97 and its implementation in the Oracle database management system despite the model being quite different from the one built into Oracle [[ SB99]].
     75Squair, Jamhour, and Nabhen describe an RBAC-based Policy Information Base (PIB) based on the provisioning strategy defined by IETF [[ SJN05]].
     77Schaad, Lotz, and Sohr describe a model-checking approach to analyze organizational controls in a loan origination process [[ SLS06]], see also a case study of a credit application [[ Sch03]],  [[ SM02a]], [[ SM02b]], and [[ SM04]] and [[ SSW05]] for a case study of an "eLaw" Process.
     79Schaad, Moffett, and Jacob did a case study of the RBAC system of a European Bank [[ SMJ01]].
     81Wainer, Barthelmess, and Kumar discuss a Prolog implementation of a workflow security model incorporating controlled overriding of constraints [[ WBK01]].
     83Zao, Wee, Chu, and Jackson used ALLOY, a lightweight formal modelling system to develop an RBAC schema debugger [[ ZWCJ02]].
     85Cholewka, Botha, and Eloff did a prototype implementation of a context-sensitive access control with separation of duty [[ CBE00]].
     87Masood, Ghafoor, and Mathur present "scalable and effective test generation for access control systems that employ RBAC policies in [[ MGM06]], and Masood, Bhatti, Gahfoor, and Mathur previously described "model-based testing of access control systems that employ RBAC policies in [[ MBGM05]].
     89Appendix B is entitled '''Configuring LDAP for use with RBAC''' in the IBM Redbook ''Administering and Implementing !WebSphere Business Integration Server V4.3''
     90[[ HJLE06]].