Changes between Version 24 and Version 25 of Internal/Rbac
- Timestamp:
- Oct 10, 2006, 1:54:26 PM (18 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Internal/Rbac
v24 v25 5 5 RBAC is being implemented in ORBIT to protect each project's information from access or disruption by other projects, to minimize some problems within projects, and to provide tools for project administration by each project's Principal Investigator. That is, to insure that an ORBIT user has access only to information that belongs to the project he or she is working on, and is granted permissions in accord with the roles in which he or she is active. 6 6 7 To explain RBAC's specificuse of roles, first some terminology. In normal, scheduled operation, ORBIT is designed to insure that each person using an ORBIT resource is allowed to do so at that time. The Lightweight Directory Access Protocol (LDAP) is used by ORBIT to ''authenticate'' each user by checking his or her password when he or she logs into an ORBIT controller or server. LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user, although a single person may have one or more ORBIT user id's. Each ORBIT user id may be logged into one or more sessions, and during each session there may well be multiple computer processes initiated by the user. A ''process'' is an instance of a user running an application program like a spreadsheet, editor or browser.7 To explain RBAC's use of roles, first some terminology. In normal, scheduled operation, ORBIT is designed to insure that each person using an ORBIT resource is allowed to do so at that time. The Lightweight Directory Access Protocol (LDAP) is used by ORBIT to ''authenticate'' each user by checking his or her password when he or she logs into an ORBIT controller or server. LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user, although a single person may have one or more ORBIT user id's. Each ORBIT user id may be logged into one or more sessions, and during each session there may well be multiple computer processes initiated by the user. A ''process'' is an instance of a user running an application program like a spreadsheet, editor or browser. 8 8 9 9 When a user runs an application program that process acts on behalf of the user and is referred to as a ''subject''. An ''object'' is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database. ORBIT objects include the grid, sandboxes, ORBIT databases, and noise generator. An ''operation'' is an active part of a process invoked by the subject process much like a function call or a method invocation. In general, a ''permission'' or privilege is the authorization to perform some action on the system. In RBAC, a permission is the authorization to perform a given operation on a given object.