Changes between Version 25 and Version 26 of Internal/Rbac
- Timestamp:
- Oct 10, 2006, 1:59:34 PM (18 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Internal/Rbac
v25 v26 9 9 When a user runs an application program that process acts on behalf of the user and is referred to as a ''subject''. An ''object'' is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database. ORBIT objects include the grid, sandboxes, ORBIT databases, and noise generator. An ''operation'' is an active part of a process invoked by the subject process much like a function call or a method invocation. In general, a ''permission'' or privilege is the authorization to perform some action on the system. In RBAC, a permission is the authorization to perform a given operation on a given object. 10 10 11 The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources. Users are assigned to one or more roles. Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user acti ng in that role to accessa given object.11 The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources. Users are assigned to one or more roles. Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user active in that role to be performed on a given object. 12 12 13 13 In ORBIT, role-based access control will be implemented using LDAP. Besides authenticating users, an LDAP schema will be developed for a directory of projects and roles. ORBIT RBAC will also require modifications to the services that control ORBIT resources so that access to the methods those servicess present to users can be controlled. Further, a monitor program based on the NIST RBAC/Web code is needed to grant access quickly to users when accessing these methods. It is expected that this implementation will have acceptable performance while providing the desired levels of protection and administrative capability.