Changes between Version 99 and Version 100 of Internal/Rbac/OrbitRbacDesign


Ignore:
Timestamp:
Sep 12, 2006, 2:51:27 PM (18 years ago)
Author:
hedinger
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Internal/Rbac/OrbitRbacDesign

    v99 v100  
    22== ORBIT RBAC Design ==
    33=== Background ===
    4 Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06]] contains an anlaysis of each of the roles in which an ORBIT user might act when working on an ORBIT project.  The analysis is based on use cases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97]] and contains a permissions matrix with access granted or not granted for each role and resource combination.
     4Siswati Swami's recent "Requirements Specifications for ORBIT Access Control" [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/Specs2.pdf Swa06]] contains an analysis of each of the roles in which an ORBIT user might act when working on an ORBIT project.  The analysis is based on use cases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/IC_TECH_REPORT_200131.pdf NW01]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fernandez97determining.pdf FH97]] and contains a permissions matrix with access granted or not granted for each role and resource combination.
    55=== RBAC Research for Implementation ===
    66There is one book [[http://www.amazon.com/gp/product/1580533701/ FKC03]] and a surprisingly large number of articles, papers, PhD theses, and web sites that touch on aspects of the design and implemenation of role-based access control for ORBIT.  Many of these sources are theoretical in nature, although some of the theoretical work includes implementation of tools to specify and check user-role assignments and constraints.  Some of the papers address administrative issues.  The following sources discuss RBAC implementation issues.
    77
    8 Ferraiolo, Barkley, and Kuhn's paper discusses RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web within a corporate intranet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p34-ferraiolo.pdf FBK99]].  Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p12-ferraiolo.pdf FCAG03]].
     8Ferraiolo, Barkley, and Kuhn's paper describes RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web within a corporate intranet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p34-ferraiolo.pdf FBK99]].  Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p12-ferraiolo.pdf FCAG03]].
    99
    1010Georgiadis, Mavridis, Pangalos, and Thomas discuss the use of contextual information with team-based access control for collaborative activities best accomplished by teams of users. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are derived from permission types defined for roles that the user belongs to. [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p21-georgiadis.pdf GMPT01]].  This work is based on that of Thomas [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-thomas.pdf Tho97]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i97tbac.pdf TS98]].
    1111
    1212Ahn and Hong discuss a Linux implementation that uses UNIX groups to implement Static Separation of Duty [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/WOSIS2004.pdf AH04]].
     13
     14Spengler addresses performance and granularity issues in RBAC for Linux in a case study in GRSECURITY [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/researchpaper.pdf Spe04]].
    1315
    1416Ahn, Mohan, and Hong have implemented identity certificates and an access control server in C++ for multimedia databases [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sdarticle.pdf AMH06]].
     
    2426Bhatti, Ghafoor, Bertino and Joshi implemented a policy administration process for the XML-based X-GTRBAC architecture [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p187-bhatti.pdf BGBJ05]].  Bhatti, Joshi, Bertino, and Ghafoor discuss a Java-based application with dynamic XML-based Web services [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ICWS_2003.pdf BJBG03]].  Bhatti, Joshi, Bertino, and Ghafoor address decentralized administration of enterprise-wide access a control in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p78-bhatti.pdf BJBG04]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01355921.pdf JBBG04]], and Bhatti, Shafiq, Bertino, Ghafoor, and Joshi update the progress on these implementations in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p388-bhatti.pdf BSBE05]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01453534.pdf JBG05]].
    2527
    26 Brooks discusses the Tivoli implementin of RBAC in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p71-brooks.pdf Bro99]].
     28Brooks discusses the Tivoli implementation of RBAC in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p71-brooks.pdf Bro99]].
    2729
    2830Brucker, Rittinger, and Wolff implemented RBAC in a CVS-Server case study [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/brucker02cvsserver.pdf BRW02]], and Brucker and Wolff further describe it in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/fmics_03.pdf BW03]].
     
    3840Caelli and Rhodes describe a Windows NT 4.0 implementation of RBAC [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-005.pdf CR99a]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/qut-isrc-tr-1999-003.pdf CR99b]].
    3941
    40 Demchenko, Gommans, Tokmakoff, van Buuren, and de Laut develop a grid-based collaobrative secruity policy compatible with the Globus toolkit [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/cts2006-oce-dynamic-access-control-05.pdf DGTE06]].
     42Demchenko, Gommans, Tokmakoff, van Buuren, and de Laut developed a grid-based collaobrative secruity policy compatible with the Globus toolkit [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/cts2006-oce-dynamic-access-control-05.pdf DGTE06]].
    4143
    4244Fernandez specifies and describes a case study of RBAC in Enterprise Dynamic Access Control for the United States Pacific Fleet {[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACcase-study.pdf Fer05a]], [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACcompliance.pdf Fer05b]] and   [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/EDACv2overview.pdf Fer06]].
     
    4648Giuri describes an implementation of RBAC on the Web Using Java [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p11-giuri.pdf Giu99]].
    4749
    48 Hoffman describes implementing RBAC on a type-enforced, secure system [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/00646185.pdf Hof97]].
     50Hoffman describes implementing RBAC on a type-enforced, secure commercial system [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/00646185.pdf Hof97]].
    4951
    50 Manuel Holtgrewe has developed a Ruby on Rails library available under the MIT license that supports some levels of RBAC.  ActiveRBAC 0.3.1 did not support dyanmic access control [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ActiveRbacManual.pdf Hol06]]. This project uses Trac and has a wiki manual [[https://activerbac.turingstudio.com/trac/wiki/Manual ActiveRBAC manual]].
     52Holtgrewe developed a Ruby on Rails library available under the MIT license that supports some levels of RBAC.  ActiveRBAC 0.3.1 did not support dyanmic access control [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ActiveRbacManual.pdf Hol06]]. This project uses Trac and has a wiki manual [[https://activerbac.turingstudio.com/trac/wiki/Manual ActiveRBAC manual]].
    5153
    5254Kane and Browne in a recent paper classify access control implementations for distributed systems [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p29-kane.pdf KB06]].
    5355
    54 Kern, Schaad, and Moffett describe the Enterprise Role-Based Access Control Model (ERBAC) and its implementatin in commercial enterprise security management software SAM Jupiter [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p3-kern.pdf KSM03]].
     56Kern, Schaad, and Moffett describe the Enterprise Role-Based Access Control Model (ERBAC) and its implementation in commercial enterprise security management software SAM Jupiter [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p3-kern.pdf KSM03]].
    5557
    56 Marston describes radicore, an RBAC system for PHP at [[http://www.tonymarston.net/php-mysql/role-based-access-control.html Mar04]].  This Rapid Application Development Toolkit for building administrative Web applications is distributed under the GNU General Public License.
     58Marston describes radiCore, an RBAC system for PHP at [[http://www.tonymarston.net/php-mysql/role-based-access-control.html Mar04]].  This Rapid Application Development Toolkit for building administrative Web applications is distributed under the GNU General Public License.
    5759
    58 Neumann and Strembeck discuss the design and implementation of an RBAC service in an object-oriented scripting language XOTcl [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/neumann01design.pdf NS01]].  Implementation of conflict checking of separation of duty constraints in RBAC [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/se2004.pdf Str04]].  See [[http://wi.wu-wien.ac.at/home/mark/xoRBAC/index.html xoRBAC]] for downloadable software.
     60Neumann and Strembeck discuss the design and implementation of an RBAC service in an object-oriented scripting language XOTcl [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/neumann01design.pdf NS01]] and implementation of conflict checking of separation of duty constraints in RBAC [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/se2004.pdf Str04]].  See [[http://wi.wu-wien.ac.at/home/mark/xoRBAC/index.html xoRBAC]] for downloadable software.
    5961
    60 Obelheiro and Fraga implemented a prototype system with two CORBA servers and a Java client applet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01000036.pdf OF02]].
     62Obelheiro and Fraga implemented a prototype RBAC system with two CORBA servers and a Java client applet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01000036.pdf OF02]].
    6163
    6264Ryutov, Neuman, Kim, and Zhou discuss integrating intrusion detection with access control for Web servers for a number of implementations [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01233707.pdf RNKZ03]].
     
    6870Squair, Jamhour, and Nabhen describe an RBAC-based Policy Information Base (PIB) based on the provisioning strategy defined by IETF [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01454316.pdf SJN05]].
    6971
    70 Schaad, Lotz, and Sohr describe a model-checking approach to analysing organisational controls in a loan origination process [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p139-schaad.pdf SLS06]], see also a case study of a credit application [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schaad03framework.pdf Sch03]],  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01176294.pdf SM02a]], [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-schaad.pdf SM02b]], and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1380-schaad.pdf SM04]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1328-schaad.pdf SSW05]] for a case study of an "eLaw" Process.
     72Schaad, Lotz, and Sohr describe a model-checking approach to analysing organizational controls in a loan origination process [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p139-schaad.pdf SLS06]], see also a case study of a credit application [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schaad03framework.pdf Sch03]],  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01176294.pdf SM02a]], [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-schaad.pdf SM02b]], and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1380-schaad.pdf SM04]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1328-schaad.pdf SSW05]] for a case study of an "eLaw" Process.
    7173
    72 Spengler addresses performance and granularity issues in RBAC for Linux in a case study in GRSECURITY [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/researchpaper.pdf Spe04]].
    73  
    7474Wainer, Barthelmess, and Kumar discuss a Prolog implementation of a workflow security model incorporating controlled overriding of constraints [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/wainer01wrbac.pdf WBK01]].
    7575