access control policies
play

Access Control Policies www.skills-1st.co.uk for LDAP Andrew - PowerPoint PPT Presentation

Nov 16, 2023 •266 likes •501 views

Access Control Policies www.skills-1st.co.uk for LDAP Andrew Findlay Skills 1st Ltd andrew.findlay@skills-1st.co.uk January 2009 Why Access Control? Keep the bad guys out! www.skills-1st.co.uk Let the good guys in Who can read

  1. Access Control Policies www.skills-1st.co.uk for LDAP Andrew Findlay Skills 1st Ltd andrew.findlay@skills-1st.co.uk January 2009

  2. Why Access Control? ● Keep the bad guys out! www.skills-1st.co.uk ● Let the good guys in – Who can read – Who can modify

  3. Concepts ● Subject – who www.skills-1st.co.uk ● Object – what ● Access – permitted actions – Read / Add / Delete entries – Read / Search / Modify attributes ● ACI – Access Control Item ● ACL – Access Control List

  4. Design Process ● Define the requirements www.skills-1st.co.uk – Subjects: define groups – Objects: define categories – Allow for data management – Verify application requirements – Refine with examples ● Build a test suite ● Write ACLs

  5. Simple Policies www.skills-1st.co.uk ● Read only dc=example,dc=org ● Data admin ● Admin group dc=people dc=groups uid=u1 uid=u3 cn=g1 cn=g2 uid=u2

  6. Design Principles ● ACLs are programs www.skills-1st.co.uk ● Have few ACLs ● Avoid routine ops involving ACLs ● Use attributes to trigger ACIs ● Write the tests first ● Don't mix grants and denys ● Give access to groups, not individuals

  7. More Principles ● Use DIT Content Rules www.skills-1st.co.uk ● Make DNs opaque – uniqeIdentifier=A674EC43 ● Avoid spaces and punctuation in RDNs

  8. Server capabilities ● IBM TDS www.skills-1st.co.uk – ACLs in DIT, at the control point – Filters ● Sun / Netscape / Red Hat / Fedora – ACLs in DIT, anywhere above control point – Filters, macros ● OpenLDAP – ACLs outside DIT, program-like – Filters, regular expressions, sets...

  9. Example: user registry ● To authenticate users: ID and password www.skills-1st.co.uk ● Public read ● Users can change their own passwords ● Passwords not readable by anyone dc=example,dc=org dc=people dc=groups uid=u1 uid=u3 cn=g1 cn=g2 uid=u2

  10. ACLs for TDS www.skills-1st.co.uk dn: dc=example,dc=org changetype: modify add: ibm-filterAclEntry ibm-filterAclEntry: group:CN=ANYBODY: (objectclass=*):normal:rsc ibm-filterAclEntry: access-id:cn=this: (objectclass=*):at.userPassword:grant:w

  11. ACLs for Sun / Netscape www.skills-1st.co.uk dn: dc=example,dc=org changetype: modify add: aci aci: (targetattr != "userPassword") (version 3.0; acl "Make public objects visible"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) aci: (targetattr = "userPassword") ( version 3.0; acl "Users change own passwords"; allow (write) (userdn = "ldap:///self") ;)

  12. ACLs for OpenLDAP www.skills-1st.co.uk access to attrs="userPassword" by self =w by * auth access to * by * read

  13. Example: Local Visibility www.skills-1st.co.uk ● Visibility attribute ● Local visibility by default dc=example,dc=org dc=a dc=b dc=people dc=groups dc=groups dc=people uid=a1 uid=a2 cn=clerks uid=b1 uid=b2 cn=clerks

  14. ACLs for TDS ● Needs an ACL in each department entry www.skills-1st.co.uk ● Identify local users with a dynamic group dn: cn=users,dc=groups,dc=a,dc=example,dc=org changetype: add objectclass: groupOfURLs objectclass: ibm-dynamicGroup cn: users memberURL: ldap:///dc=people,dc=a,dc=example,dc=org?? sub?(objectclass=*) dn: dc=a,dc=example,dc=org changetype: modify replace: ibm-filterAclEntry ibm-filterAclEntry: group:cn=users,dc=groups,dc=a,dc=example,dc=org: (objectclass=*):normal:rsc

  15. ACLs for TDS ● Global ACL: passwords and public entries www.skills-1st.co.uk dn: dc=example,dc=org ibm-filterAclEntry: access-id:cn=this: (objectclass=*):at.userPassword:grant:w ibm-filterAclEntry: group:CN=ANYBODY: (exampleVisibility=public):normal:rsc

  16. ACLs for Sun / Netscape ● Macro selects same-department users www.skills-1st.co.uk dn: dc=example,dc=org aci: (target="ldap:/// ($dn) ,dc=example,dc=org") (targetattr != "userPassword") (version 3.0; acl "Users see entries in their own department"; allow (read, compare, search) (userdn = "ldap:///dc=people, [$dn] ,dc=example,dc=org??sub?") ;)

  17. ACLs for Sun / Netscape ● Filter selects public entries www.skills-1st.co.uk dn: dc=example,dc=org aci: (targetfilter = "(exampleVisibility=public)") (targetattr != "userPassword") (version 3.0; acl "Make public objects visible to all"; allow (read, compare, search) (userdn = "ldap:///anyone") ;)

  18. ACLs for OpenLDAP www.skills-1st.co.uk access to dn.subtree="dc=example,dc=org" attrs="userPassword" by self =w by * auth access to filter="(exampleVisibility=public)" by * read access to dn.regex=" (dc=[^,]+,dc=example,dc=org)$ " by dn.subtree,expand="dc=people, $1 " read by * break access to * by * none

  19. Controlling DIT Content ● For delegated administration www.skills-1st.co.uk ● ACLs should only allow write for correct object type – OpenLDAP, Netscape OK. TDS fails. ● Need to control auxiliary classes: DIT Content Rule ditcontentrule ( 2.16.840.1.113730.3.2.2 NAME 'dcrPerson' DESC 'Control inetOrgPerson entries' AUX strongAuthenticationUser )

  20. Attribute sets for OpenLDAP ● Use object class to define set www.skills-1st.co.uk ● Remember to give access to “entry” objectclass ( 1.2.826.0.1.3458854.666.3.1 NAME 'attrsetAnonVisible' DESC 'Attributes visible to anon users' AUXILIARY MAY ( objectclass $ cn $ sn $ displayname $ mail $ uniqueIdentifier ) ) access to filter="(objectclass=person)" attrs="entry,@attrsetAnonVisible" by * +rsc break

  21. Gotchas ● Hard to hide entries entirely www.skills-1st.co.uk – Detection by error message – OpenLDAP can protect leaf entries – Others have no protection ● Hard to control content of new entries – OpenLDAP can do it – Sun / Netscape has some control – TDS has none

  22. Summary ● Access control needs care www.skills-1st.co.uk ● Difficulty can rise fast with policy size ● Test-driven development ● Design patterns ● Read the paper Andrew Findlay Andrew.Findlay@skills-1st.co.uk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and M. Fernndez LIF , Marseille & Kings College London WTS2010, Nancy C. Bertolissi, M. Fernndez () Term rewriting for Access Control

1.04k views • 28 slides
Static enforceability of XPath-based access control policies James Cheney University of

Static enforceability of XPath-based access control policies James Cheney University of

Static enforceability of XPath-based access control policies James Cheney University of Edinburgh DBPL 2013 August 30, 2013 Background Access control for XML databases Read-only security views [Stoica & Farkas 2002, Fan

431 views • 29 slides
Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K. Cassandra: Distributed Access Control Policies with Tunable Expressiveness p.

1.44k views • 20 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST Bretagne, Rennes RSM/SERES Outline - 2 - Problem domain Main strategies Use of full expressiveness Conclusions and Perspectives

562 views • 28 slides
Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise ,

Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise ,

Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise , Riccardo Traverso, Anh Truong FBK-Irst, Trento, Italy Metodi dichiarativi nella verifica di sistemi parametrici Milano, 25-26 Settembre, 2014 Ranise

577 views • 40 slides
Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security

Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security

Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security Conf , Sept. 05 Mark Ryan Dimitar Guelev Nan Zhang School of Computer Science, University of Birmingham Section of Logic, Institute of

478 views • 21 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy

CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy

CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy Lectures 9 and 10 Access Control The prevention of unauthorized use of a resource, including the prevention of use of a resource in an

1.17k views • 90 slides
Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search Ph.D. Dissertation Defense Zeeshan Pervez Department of Computer Engineering Kyung Hee University, Global Campus, Korea email:

650 views • 24 slides
W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

Laurent Bussard and Moritz Y. Becker Microsoft (EMIC and MSRC) W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines Scenario: Privacy Policies and Preferences Links with Access Control Our

636 views • 17 slides
Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar ,

Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar ,

Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar , Philip W. L. Fong , Xue-Dong Yang , Howard Hamilton University of Calgary, Alberta, Canada University of Regina, Saskatchewan,

341 views • 31 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Where we started 2 Accountable Care Organizations ACOs) Community- Based Care Health Homes

Where we started 2 Accountable Care Organizations ACOs) Community- Based Care Health Homes

Building Community-Based Integrated Care Networks Marisa Scala-Foley Where we started 2 Accountable Care Organizations ACOs) Community- Based Care Health Homes Transitions Program (CCTP) Integrated Care Opportunities Medicaid Duals

549 views • 16 slides
Mit Mitig igating ing Gen Gender er Bia Bias in in NLP: Li Lite teratur ture Re Review

Mit Mitig igating ing Gen Gender er Bia Bias in in NLP: Li Lite teratur ture Re Review

Mit Mitig igating ing Gen Gender er Bia Bias in in NLP: Li Lite teratur ture Re Review UC Santa Barbara, UCLA Tony Sun Andrew Gaut Shirlyn Tang Yuxin Huang ACL 2019 Mai ElSherief Jieyu Zhao Diba Mirza Elizabeth

567 views • 18 slides
Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science &

Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science &

Squashing Computational Linguistics Noah A. Smith Paul G. Allen School of Computer Science & Engineering University of Washington Seattle, USA @nlpnoah Research supported in part by: NSF, DARPA DEFT, DARPA CWC, Facebook, Google, Samsung,

1.28k views • 90 slides
Disclosures Y- Balance Testing in Anterior Cruciate Lau, Tufts, Souza, Li, Feeley, Allen:

Disclosures Y- Balance Testing in Anterior Cruciate Lau, Tufts, Souza, Li, Feeley, Allen:

5/9/2014 Disclosures Y- Balance Testing in Anterior Cruciate Lau, Tufts, Souza, Li, Feeley, Allen: Injuries and Following Reconstruction No Disclosures Ma: Brian Lau 1 MD, Lauren Tufts 2 BS, Richard Souza 2 DPTPhD, Xiaojuan Li 2 PhD,

250 views • 5 slides
What Kind of Language Is Hard to Language-Model? ACL 2019 Sabrina J. Mielke and Ryan Cotterell,

What Kind of Language Is Hard to Language-Model? ACL 2019 Sabrina J. Mielke and Ryan Cotterell,

What Kind of Language Is Hard to Language-Model? ACL 2019 Sabrina J. Mielke and Ryan Cotterell, Kyle Gorman, Brian Roark, Jason Eisner Johns Hopkins University // City University of New York Graduate Center // Google sjmielke@jhu.edu Twitter:

1.09k views • 85 slides
Explainable Improved Ensembling for Natural Language and Vision Nazneen Rajani University of

Explainable Improved Ensembling for Natural Language and Vision Nazneen Rajani University of

Explainable Improved Ensembling for Natural Language and Vision Nazneen Rajani University of Texas at Austin Ph.D. Defense (12 th July, 2018) NLP Vision Discourse Scene Recognition Visual Question Sentiment Analysis Object Tracking

1.24k views • 99 slides
Mo Morphology Yonatan Belinkov Nadir Durrani Fahim Dalvi Hassan Sajjad James Glass -

Mo Morphology Yonatan Belinkov Nadir Durrani Fahim Dalvi Hassan Sajjad James Glass -

Wh What do Neural Ma Machine Tr Translation Models Learn About Mo Morphology Yonatan Belinkov Nadir Durrani Fahim Dalvi Hassan Sajjad James Glass - Presented by Raghav Gurbaxani FROM ACL 2017 Mo Motivation In recent times Neural

573 views • 25 slides
Towards a Computational History of the ACL: 19802008 Ashton Anderson, Dan McFarland, Dan

Towards a Computational History of the ACL: 19802008 Ashton Anderson, Dan McFarland, Dan

Towards a Computational History of the ACL: 19802008 Ashton Anderson, Dan McFarland, Dan Jurafsky Stanford University 1 Intro + Motivation Simple data-driven methodology for computational history of science What are the natural

469 views • 32 slides

More recommend