Changes between Version 140 and Version 141 of Internal/Rbac/OrbitRbacDesign


Ignore:
Timestamp:
Sep 20, 2006, 3:33:58 PM (18 years ago)
Author:
hedinger
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Internal/Rbac/OrbitRbacDesign

    v140 v141  
    88It seems to be a good idea to pursue the server-pull architecture because of temporal constraints and to avoid certificate revocation issues.  If it decided otherwise to use a user-pull architecture, secure cookies [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/diss-jean.pdf Par99]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00secure.pdf PS00b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park99rbac.pdf PSG99]] and smart X.509 certificates [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p1-park.pdf PS99a]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/smart-certificates-extending-x-1.pdf PS99b]] [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/park00binding.pdf PS00a]] are the two methods used.  Ahn, Sandhu, Kang, and Park discuss a proof-of-concept implementation of a user-pull architected, web-based workflow system in  [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/2928_1724_76-10-01.pdf ASKP00]].
    99
    10 Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p37-park.pdf PSA01]].  Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01045125.pdf SAP02]].  Zhang, Park, and Sandhu describe a schema-based XML security approach for RBAC in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schema-based-xml-security.pdf ZPS03]].  Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-damiani.pdf DDPS00]].
    11 
    12 
    1310This design assumes that user authentication will be handled separately and will be reliable.  It also assumes that ORBIT users will protect their passwords and not intentionally loan them to others.  These two assumptions allow a person to be related to a user id.
    1411
    15 It is assumed that access control is only related to scheduling in so far as respecting time limits for access to the grid or sandboxes.
     12It is assumed that access control will not interact with scheduling that is currently based on users not projects.
    1613
    17 It is assumed that access control will not need to interact with cost accounting.  It is assumed that any denial of access to overdrawn users will be enforced by user authentication.
    18 
    19 If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.
     14It is assumed that access control will not need to interact with cost accounting.  It is assumed that any denial of access to overdrawn users will be enforced by user authentication.  If it is required to enforce project-level denial of access due to cost considerations it might be possible to enforce it when an already authorized user attempts to select that project or when he or she accesses an object with a cost associated with it.
    2015
    2116Does hierarchical RBAC solve the seeming need to have per-project instances of each role for per-project resources like its results files?
     
    3530
    3631Ferraiolo, Barkley, and Kuhn's paper describes the features of RBAC including dynamic separation of duty and their implementation of the NIST RBAC model RBAC/Web [wiki:Internal/Rbac/OrbitRbacDesign/NistRbacSoftware NIST RBAC Software] within a corporate intranet [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p34-ferraiolo.pdf FBK99]].  Ferraiolo, Chandramouli, Ahn, and Gavrila describe the Role Control Center tool [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p12-ferraiolo.pdf FCAG03]].
     32
     33
     34Park, Sandhu, and Ahn summarize the issues in implementing RBAC on the Web in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p37-park.pdf PSA01]].  Shin, Ahn, and Park further demonstrate an application of Directory Service Markup Language (DSML) to implement RBAC with XML to facilitate collaboration within or beyond a single enterprise boundary, improving upon the previous LDAP-oriented solution [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/01045125.pdf SAP02]].  Zhang, Park, and Sandhu describe a schema-based XML security approach for RBAC in [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/schema-based-xml-security.pdf ZPS03]].  Damiani, di Vimercati, Paraboschi, and Samarati describe the design and implementation of an access control processor for XML documents [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-damiani.pdf DDPS00]].
     35
    3736
    3837Georgiadis, Mavridis, Pangalos, and Thomas discuss the use of contextual information with team-based access control for collaborative activities best accomplished by teams of users. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are derived from permission types defined for roles that the user belongs to. [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p21-georgiadis.pdf GMPT01]].  This work is based on that of Thomas [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p13-thomas.pdf Tho97]] and [[http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/i97tbac.pdf TS98]].