Changes between Initial Version and Version 1 of Internal/Rbac/OrbitRbacDesign/WorkToDo


Ignore:
Timestamp:
Oct 3, 2006, 6:03:58 PM (18 years ago)
Author:
anonymous
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Internal/Rbac/OrbitRbacDesign/WorkToDo

    v1 v1  
     1=== Work To Do ===
     2Identify all ORBIT resources and modes of accessing each one.
     3
     4Agree on ORBIT roles.
     5
     6Agree on mutually exclusive roles within a project for which any given user cannot be active in both at the same time.
     7
     8Generate a project implementation plan including a test plan.
     9
     10Generate an LDAP schema for projects and a create-project.pl script.
     11
     12Decide whether to keep NIST RBAC/Web structures for roles or to use LDAP.  Except for ORBIT Administrator and Delegated ORBIT Administrator, roles are assigned within a project.  Should include a way to add new roles in the future or at least add new resources to existing roles.  The same role in different projects would grant access to the same resources with the constraint that some resources like sets of measurements are owned by a project.
     13
     14Either implement LDAP roles or modify NIST RBAC/Web roles code to work in a project context.
     15
     16Decide if there is any point to extending NIST RBAC/Web scripts that check for conflicts to check across projects.
     17
     18Assuming most users will work on a single project with one or more nonconflicting roles, it is possible to activate all those roles in that one project when the user logs in.  It might be best though to require an explicit GUI or command-line command to pick a project and activate roles in it. In any case, assuming that some mutually exclusive roles within a project are identified, the GUI and command-line commands need to be written.
     19
     20For each ORBIT RBAC resource, create methods to establish project ownership of it and control access to it.  This work includes temporal ownership and probably would involve an interface to or modification of the ORBIT scheduler.
     21
     22Integrate access control code for each resource with the NIST RBAC/Web code.
     23
     24Create a GUI interface for the ORBIT Administrator to 1) browse, add, modify and delete ORBIT users;  2) browse, add, modify and delete ORBIT projects;  3) browse, add, modify and delete Project Leaders and Project Administrators; set logging options, configure audit options; and assign a user to the Designated ORBIT Administrator role.  Note that each Project Administrator's GUI would be similar to ORBIT Administrator except for a single project and with restrictions on some functions.
     25
     26Decide if command-line ORBIT Administrator and Project Administrator commands are needed.
     27
     28Write and put code in place to log as much access-control information as possible with ways to filter it.
     29
     30Write auditing code for the ORBIT Administrator and Project Leaders.
     31
     32Create user documentation for ORBIT Administrator, Project Leader, Project Administrator, Experimenter, Analyst, etc.
     33
     34Review NIST RBAC/Web C and Perl code (written in 1998 and before) for security issues.
     35
     36Is a project report required or just an update to the wiki pages?