Changes between Version 19 and Version 20 of Internal/Rbac


Ignore:
Timestamp:
Oct 6, 2006, 4:22:38 PM (19 years ago)
Author:
anonymous
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Internal/Rbac

    v19 v20  
    77To explain RBAC's specific use of roles, first some terminology.  In normal, scheduled operation, ORBIT is designed to insure that each person using an ORBIT resource is allowed to do so at that time.  The Lightweight Directory Access Protocol (LDAP) is used by ORBIT to ''authenticate'' each user's password when he or she logs into an ORBIT controller or server.  LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user although a single person may have one or more ORBIT user id's.  Each ORBIT user id may be logged into one or more sessions, and during each session there may well be multiple computer processes initiated by the user.  A ''process'' is an instance of a user running an application program like a spreadsheet, editor or browser.
    88
    9 When a user runs an application program that process acts on behalf of the user and is referred to as a ''subject''.  An ''object'' is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database.  ORBIT objects include the grid, sandboxes, ORBIT databases, and noise generator.  An ''operation'' is an active part of a process invoked by the subject process much like a function call or a method invocation.  In general, a ''permission'' or privilege is the authorization to perform some action on the system.  In RBAC, a permission is the authorization to perform a given operation on a given object.  The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources.  Users are assigned to one or more roles.  Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user acting in that role to access a given object.
     9When a user runs an application program that process acts on behalf of the user and is referred to as a ''subject''.  An ''object'' is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database.  ORBIT objects include the grid, sandboxes, ORBIT databases, and noise generator.  An ''operation'' is an active part of a process invoked by the subject process much like a function call or a method invocation.  In general, a ''permission'' or privilege is the authorization to perform some action on the system.  In RBAC, a permission is the authorization to perform a given operation on a given object.
     10
     11The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources.  Users are assigned to one or more roles.  Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user acting in that role to access a given object.
    1012
    1113Two special constraints are needed with role-based access control for ORBIT.  A primary goal of ORBIT's is to insure each user has access to data and results only for his or her project(s).  Second, use of the grid and sandboxes is scheduled and control of access to each of them has to be integrated with the ORBIT scheduler.