Changes between Initial Version and Version 1 of Internal/Rbac/OrbitRbacDesign/ResourcesRoles


Ignore:
Timestamp:
Oct 2, 2006, 9:10:57 PM (18 years ago)
Author:
anonymous
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Internal/Rbac/OrbitRbacDesign/ResourcesRoles

    v1 v1  
     1The specific ORBIT roles are defined mainly by the ORBIT resources to which they will be granted permission (or not).  Any errors or misunderstandings in the list of ORBIT resources may well result in missing possible ORBIT roles that might require changes later on.
     2
     3A key decision is what roles will be mutually exclusive for dynamic separation of duty, i.e., no user will be allowed to be active in both roles at the same time.
     4
     5The list of ORBIT Resources below is adapted from the table of resources and roles on page 12 of [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06]].
     6
     7ORBIT Resources
     8  internal databases:  create, rename, delete, read and update
     9  external databases:  create, rename, delete, read and update;  see "An introduction to MySQL permissions" [[http://www.databasejournal.com/features/mysql/article.php/10897_3311731_2 Gil04]] or Chapter 5 "Database Administration" in the ''MySQL 3.23, 4.0, 4.1 Reference Manual'' [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/konquerorh9E2Ta.1-en.pdf MyS06a]].
     10  Linux File System:  create, rename, delete, read from, write to, and execute Linux files.
     11  Chassis Manager Service: complete access to it
     12  Aruba Sniffer:  complete access to it or just use of captured packets
     13  Noise Generator Access:  complete access to  it or just use of it
     14  Grid Authentication: 
     15  Internal Servers:  create, rename, delete, read and update
     16  Remote Data Acquisition: 
     17  Applications:  where?
     18  SandBoxes:  complete or by component
     19  Grid:  via scheduler
     20  Network Devices: 
     21
     22Is it expected that there will be any project-specific resources?
     23
     24ORBIT Roles
     25  ORBIT Administrator:  browse, add, modify and delete ORBIT users; browse, add, modify and delete ORBIT projects;  browse, add, modify and delete Project Leaders and Project Administrators; set logging options and audit ORBIT logs; can delegate to Designated ORBIT Administrator; cardinality = 1.
     26  Designated ORBIT Administrator:  same privileges as ORBIT Administrator except cannot delegate role; cardinality = 1.
     27  Experimenter:  all privileges to run an ORBIT experiment and analyze results, but not modify or delete results.
     28  Analyst:  can only analyze results of an ORBIT experiment, not run one.
     29  Project Administrator:  browse selected fields of and add ORBIT users;  add and delete users to and from roles in his or her project;  can delegate role to Designated Project Administrator; cardinality = 1 per project.
     30  Designated Project Administrator:  same privileges as Project Administrator except cannot delegate; cardinality = 1 per project.
     31  Project Leader:  can modify or delete results of any of the project's experiments; complete access to any project-specific resources;  can delegate to Designated Project Leader; cardinality = 1 per project.
     32  Designated Project Leader:  same privileges as Project Leader except cannot delegate;  cardinality = 1 per project.
     33  Developer:  not sure what the scope of a developer's privileges should be.  Does a developer become and Experimenter to run a test?
     34
     35If there are different types of ORBIT experiments, may want more than one Experimenter role.
     36
     37Might consider an separate ORBIT database administrator role too to backup and restore stuff and clean out and maybe archive stuff.
     38
     39The members of a project would be the union of all the members of a project's roles.
     40
     41Who owns the Experimental Descriptions {EDs] and Application Descriptions {ADs], Matlab scripts, prototypes, applications, builds, etc.  How would they be shared among projects once role-based access control is in effect?  Does a common area for some of these things make sense?  Do projects own certain applications?
     42
     43Is there any classified work or company-confidential work on ORBIT?  What are the implications?
     44
     45Is there any need for ORBIT cost accounting?  If so, how does role-based access control interface to it?