PERMIS Role-Based Access Control Example System Presenter: Haiyan - - PowerPoint PPT Presentation

permis role based access control example system
SMART_READER_LITE
LIVE PREVIEW

PERMIS Role-Based Access Control Example System Presenter: Haiyan - - PowerPoint PPT Presentation

Feb 27, 2024 299 likes •398 views

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1 PERMIS Review A role-based access control infrastructure Uses X.509 attribute certificate (AC) to store users roles All access

slide-1
SLIDE 1

1 CS 6204, Spring 2005

PERMIS Role-Based Access Control Example System

Presenter: Haiyan Cheng

slide-2
SLIDE 2

2 CS 6204, Spring 2005

PERMIS Review

♦ A role-based access control infrastructure ♦ Uses X.509 attribute certificate (AC) to store user’s roles ♦ All access control decisions are driven by authorization

policy

♦ Policies are stored in AC ♦ ACs are stored in one or more LDAP directories ♦ Authorization Policies are written in XML ♦ ADF(Access Control Decision Function) is written in Java

& Java API

♦ Include a Privilege Allocator

– Construct AC – Sign AC – Stores AC in LDAP

slide-3
SLIDE 3

3 CS 6204, Spring 2005

Comparison of PKI and PMI

Authentication Authorization PMI PKI User’s name Public Key User’s name Privilege Attribute CA AA Root CA Source of Authority Subordinate CA Subordinate AA Is used for Is used for Binds Sign Sign Binds CRL ACRL issues issues

slide-4
SLIDE 4

4 CS 6204, Spring 2005

Possible Authorization Schemes

♦ Discretionary Access Control (DAC) ♦ Multilevel Secure (MLS) system, a type of

Mandatory Access Control (MAC)

♦ Role-Based Access Control (RBAC)

– Basic – Hierarchical—involves privilege inheritance – Constrained RBAC—allow constraints to be applied to the roles and permissions

  • Mutually exclusive role
  • No. of roles one can hold
  • No. of people who can hold a particular role
  • Time constraint—validity period for RBAC
slide-5
SLIDE 5

5 CS 6204, Spring 2005

PERMIS PMI Architecture

♦ Privilege Allocation Subsystem

– Responsible for allocating privilege to the users

♦ Privilege Verification Subsystem

– Responsible for authenticating (application specific) and authorizing (application independent) users

slide-6
SLIDE 6

6 CS 6204, Spring 2005

The Privilege Allocation Subsystem

From PERMIS paper

slide-7
SLIDE 7

7 CS 6204, Spring 2005

The Structure of the Policy DTD

SubjectPolicy

– specifies subject domain ♦

RoleHierarchyPolicy

– specify the different roles and hierarchy relations ♦

SOAPolicy

– specify which SOAs are trusted to allocate roles, and permits the distributed managements of roles to take place ♦

RoleAssignmentPolicy

– specify which role maybe allocated to which subject by which SOA, weather delegation of roles may ake place or not, and how long the roles maybe assigned for ♦

TargetPolicy

– specify target domain covered by the policy ♦

ActionPolicy

– specify actions supported by the target and parameter needed for each action ♦

TargetAccssPolicy

– specify which roles have permission to perform which actions on which target and under which conditions.

slide-8
SLIDE 8

8 CS 6204, Spring 2005

The Privilege Verification Subsystem

From PERMIS paper