pros and cons for using ldap as backend for an rbac system
play

Pros and cons for using LDAP as backend for an RBAC system 3 rd - PowerPoint PPT Presentation

Jun 11, 2023 •281 likes •815 views

Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg, 10.-11.10.2011 Peter Gietz, Markus Widmer, DAASI International GmbH Peter.gietz@daasi.de Markus.widmer@daasi.de 1 (c) October 2011 DAASI

  1. Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg, 10.-11.10.2011 Peter Gietz, Markus Widmer, DAASI International GmbH Peter.gietz@daasi.de Markus.widmer@daasi.de 1 (c) October 2011 DAASI International

  2. Agenda  Motivation for Role Based Access Control  The RBAC standard  XACML  OpenRBAC  Why with OpenLDAP?  Pros and Cons 2 (c) October 2011 DAASI International

  3. Motivation for Role Based Access Control  Health Level Seven International (HL7) is „the global authority on standards for interoperability of health information technology with members in over 55 countries.“  Their motivation was:  “Simplify authorization management  Reduce administrative costs  Improve security  Enhance partner interoperability  Enable new network-level RBAC services” 3 (c) October 2011 DAASI International

  4. Motivation for Role Based Access Control  Another motivation could be compliance (says NIST at http://csrc.nist.gov/groups/SNS/rbac/sarbanes_oxley.html):  “The Sarbanes-Oxley Act establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability.  For information technology systems, regulators may need to know who used a system, when they logged in and out, what accesses or modifications were made to what files, and what authorizations were in effect.  IT vendors responding to Sarbanes-Oxley requirements have adopted RBAC as central to compliance solutions because RBAC was designed to solve this type of problem.” 4 (c) October 2011 DAASI International

  5. Motivation for Role Based Access Control  Using roles makes access control easier and clearly arranged  When a user changes her role in an organization she automatically has the right privileges for that role  There are no „special ad hoc solutions“ like:  „user X needs permission to access resource Y now, please make it so“  Things like this tend not to be documented and thus will be forgotten, even after user X has left the organization  The real-world organizational structure can be mapped in the role model  Changes in these structures can easily be adopted  There are good standards (RBAC und XACML) 5 (c) October 2011 DAASI International

  6. Prerequisites  You need a clear role model  Roles must be mapped somehow in the user management system  Identity Management is quite helpful here  Applications need to be able to consume such information  Role information can also be transported via federated Identity Management Systems (SAML, e.g. Shibboleth)  You need an implementation 6 (c) October 2011 DAASI International

  7. The RBAC standard  ANSI INCITS 359-2004 says:  This standard describes RBAC features that have achieved acceptance in the commercial marketplace.  It includes a reference model and functional specifications for the RBAC features defined in the reference model.  It is intended for • software engineers and product development managers who design products incorporating access control features • managers and procurement officials who seek to acquire computer security products with features that provide access control capabilities in accordance with commonly known and understood terminology and functional specifications. 7 (c) October 2011 DAASI International

  8. ANSI-Standard RBAC components  The ANSI-Standard RBAC is divided into several functional components:  Core RBAC • Basic features every complient implementation must provide  Hierarchical RBAC (two types) • Optional role hierachies  Static Separation of Duty • Optional static exclusion of concurrency of single roles  Dynamic Separation of Duty • Optional dynamic exclusion of concurrency of single roles, i.e. at run-time 8 (c) October 2011 DAASI International

  9. ANSI-Standard RBAC concepts  object:  any system resource subject to access control, such as a file, printer, terminal, database record, etc.  operation:  executable image of a program, which upon invocation executes some function for the user (e.g. read, write, execute, etc.).  permissions:  an approval to perform an operation on one or more RBAC protected objects. 9 (c) October 2011 DAASI International

  10. ANSI-Standard RBAC concepts  role:  a job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on the user assigned to the role  user:  a human being or any other agent in an IT system like machines, networks, or intelligent autonomous agents  session:  A combination of a randomly (unique) ID, a user, a roleset and a lifetime 10 (c) October 2011 DAASI International

  11. RBAC-Core  Defines basic functionality, any implementation of the RBAC standard has to have. These are:  Creating and deleting users, roles and sessions  Creating and deleting permissions on resources  Defines the function checkAccess, that can be used retrieve a decision for a object/operation combination  Defines additional functionality  to change relationships between components e.g. add user to a role  to get information about single components of the system 11 (c) October 2011 DAASI International

  12. RBAC-Core 12 (c) October 2011 DAASI International

  13. Hierarchical RBAC  Extends the basic functionality with role hierarchies defining two types:  Limited Role Hierarchy: roles are organized in a tree structure (single parent node, multiple child nodes)  General Role Hierarchy: roles are organized in free graphs (no limit to parent or child nodes)  Some of the functions of RBAC-Core are adapted:  e.g. addActiveRole: now has to consider the hierarchy of roles when activating a session role  In addition some new functionality is defined to change the role hierarchies 13 (c) October 2011 DAASI International

  14. Hierarchical RBAC 14 (c) October 2011 DAASI International

  15. Separation of Duty  Used to prevent users from getting or activating conflicting role combinations  In cases of conflict of interests (e.g. applicant and allower)  By using so called Sets roles can be defined that exclude one another  There are two different types:  Static Separation of Duty (SSD)  Dynamic Separation of Duty (DSD)  These two types can be used independently or in combination 15 (c) October 2011 DAASI International

  16. Static Separation of Duty (SSD)  SSD-Sets define two or more roles that cannot be assigned to the same user at any time  These restrictions are checked each time a user is assigned to a role  SSD relations define and place constraints on a user’s total permission space  SSD relations may exist within hierarchical RBAC 16 (c) October 2011 DAASI International

  17. Static Separation of Duty (SSD) 17 (c) October 2011 DAASI International

  18. Dynamic Separation of Duty (DSD)  Restrictions are only checked when activating a role for a user's session  Users are allowed to be assigned to roles that exclude on another but they are not allowed to activate them at the same time (i.e. in one session)  Active roles are assigned to a user's session whereas a user can be assigned to more then these roles  DSD properties provide extended support for the principle of least privilege in that each user has different levels of permission at different times, depending on the role being performed 18 (c) October 2011 DAASI International

  19. Dynamic Separation of Duty (DSD) 19 (c) October 2011 DAASI International

  20. Extensibility of RBAC  The standard already defines a wide range of functions that provide many useful features for authorization tasks  It can easily be extended as the standard itself is structured in basic functionality and additional extending modules  An example for an extension could be e.g. „Multi-session Separation of Duties“ (David Chadwick, 2006):  An extension where a user is not only prevented from activating roles within the same session but across multiple active sessions 20 (c) October 2011 DAASI International

  21. XACML: an interoperable standard  Extended Access Control Markup Language  OASIS-Standard  There are XACML profiles for SAML and LDAP/DSML as well as for RBAC  Access policies can be specified independent from applications  A policy can reference another policy  Complex: like a programming language  Thus only slowly becoming accepted 21 (c) October 2011 DAASI International

  22. XACML-Elemente  PolicySet: Container for policies or other PolicySets  Policies and PolicySets can be combined via algorithms  Conditions are composed of subject, resource and action  Policy Decision Point (PDP)  Policy Enforcement Point (PEP)  Target: collection of simple conditions  Rule: Access control Rules  Attributes 22 (c) October 2011 DAASI International

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Purchasing Card Solution in SAP Option 1: SAP EBP Pros Pros Cons Cons Allows de-central

Purchasing Card Solution in SAP Option 1: SAP EBP Pros Pros Cons Cons Allows de-central

Purchasing Card Solution in SAP Option 1: SAP EBP Pros Pros Cons Cons Allows de-central users who dont have Requires a requisition, PO or shopping cart access to SAP to do their own expense to be define prior to bank file

258 views • 4 slides
What is .Net A platform that anyone can develop for using a system similar to Java/JVM.

What is .Net A platform that anyone can develop for using a system similar to Java/JVM.

Outline What is .Net .Net Pros .Net Pros and Cons .Net Cons Conclusion References What is .Net Application development framework based solely on the windows family o/s. What is .Net A platform that anyone can develop

268 views • 10 slides
PASSWORD SOFTWARE AU PC Mtg Nov. 19 DASHLANE Pros & Cons o Self-learn support

PASSWORD SOFTWARE AU PC Mtg Nov. 19 DASHLANE Pros & Cons o Self-learn support

PASSWORD SOFTWARE AU PC Mtg Nov. 19 DASHLANE Pros & Cons o Self-learn support links o Dashlane Threat Center LASTPASS ROBOFORM DASHLANE PROs & CONs PROs PC Based software app Privacy and

241 views • 7 slides
1 Going Back to School: The Cons/ Challenges It may be physically and emotionally challenging

1 Going Back to School: The Cons/ Challenges It may be physically and emotionally challenging

The SAMFund Presents: Going Back to School Post-Cancer: The Pros, Cons and Hows Sherri Avery Director of Financial Aid and Student Employment Brandeis University savery@brandeis.edu Agenda Pros and cons What to consider once you decide to

471 views • 16 slides
Ch 8 SAQs (Pop Quiz) 1. What are the pros and cons of gamification? 2. How could you include

Ch 8 SAQs (Pop Quiz) 1. What are the pros and cons of gamification? 2. How could you include

Ch 8 SAQs (Pop Quiz) 1. What are the pros and cons of gamification? 2. How could you include social / group dynamics into your system? 3. How can you enhance the users perception of fun? 4. What is the 'skeptic' view of Gamification? 5.

542 views • 17 slides
in Competition Law Cento Veljanovski cento@casecon.com Presentation to Pros and Cons of

in Competition Law Cento Veljanovski cento@casecon.com Presentation to Pros and Cons of

Pros & Cons of Counterfactuals in Competition Law Cento Veljanovski cento@casecon.com Presentation to Pros and Cons of Counterfactuals conference organised by the Konkurrensverket, 6 December 2013, Stockholm. Case Associates

816 views • 33 slides
Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
Komparing Kotlin Server Frameworks Ken Yee @KAYAK (Android and occasional backend developer)

Komparing Kotlin Server Frameworks Ken Yee @KAYAK (Android and occasional backend developer)

Komparing Kotlin Server Frameworks Ken Yee @KAYAK (Android and occasional backend developer) KotlinConf 2018 Agenda - What is a backend? - What to look for in a server framework? - What Kotlin frameworks are available? - Pros/Cons of each

488 views • 45 slides
Role of marine and freshwater aquatic protected areas: pros and cons Steve Healy, Roger Chen,

Role of marine and freshwater aquatic protected areas: pros and cons Steve Healy, Roger Chen,

Role of marine and freshwater aquatic protected areas: pros and cons Steve Healy, Roger Chen, Mike Brassard CONS 486 Feb 27 th , 2015 Overview Introduction to Marine Protected Areas (MPAs) Paper review Pros and cons of MPAs

719 views • 46 slides
(Pros and Cons) Koji MURAI Shinjyu Global IP ASEAN Intellectual Property Association 2015

(Pros and Cons) Koji MURAI Shinjyu Global IP ASEAN Intellectual Property Association 2015

Madrid System in ASEAN Region (Pros and Cons) Koji MURAI Shinjyu Global IP ASEAN Intellectual Property Association 2015 Annual Conference March 27-29, 2015 Sofitel So Bangkok, Thailand 1 TOPICS 1. Overview of the Madrid System 2. Advantage

432 views • 27 slides
Page 1 Pros and Cons of Sandwich Testing Top and Bottom Layer Tests can be done in parallel

Page 1 Pros and Cons of Sandwich Testing Top and Bottom Layer Tests can be done in parallel

Podcast Ch11-04 Title : Sandwich Testing Description : Sandwich Testing Strategy, Pros and Cons of Sandwich Testing, Modified Sandwich Testing Participants : Barry Kurtz (instructor); Brandon Winters, Sara Hyde, Cheng Vue, Dan Baehr

303 views • 3 slides
Jeffery F. Budrow PE 3/2/2016 Artificial Turf Basics - Pros and Cons - Construction - Health

Jeffery F. Budrow PE 3/2/2016 Artificial Turf Basics - Pros and Cons - Construction - Health

Jeffery F. Budrow PE 3/2/2016 Artificial Turf Basics - Pros and Cons - Construction - Health Issues/Fill Materials - Safety/Gmax Artificial Turf - Pros Increased Usage Low Maintenance Uniform, Attractive Surface Engineered

330 views • 17 slides
Racket Values booleans: #t, #f numbers: The Pros of cons : integers: 42 , 0, -273

Racket Values booleans: #t, #f numbers: The Pros of cons : integers: 42 , 0, -273

Racket Values booleans: #t, #f numbers: The Pros of cons : integers: 42 , 0, -273 Programming with Pairs and Lists ra3onals: 2/3 , -251/17 floa3ng point (including scien3fic nota3on): 98.6 , -6.125 , 3.141592653589793, 6.023e23

431 views • 11 slides
Central vacuum valve in ALICE Pros and Cons ALICE TC 20.11.2013 20/11/13 Central vacuum

Central vacuum valve in ALICE Pros and Cons ALICE TC 20.11.2013 20/11/13 Central vacuum

Central vacuum valve in ALICE Pros and Cons ALICE TC 20.11.2013 20/11/13 Central vacuum valve - Pros and Cons 2 With valve Without valve Done with TPC in parking position Bakeout Done once MNF and RB24 pipe in place a very first

387 views • 7 slides
MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp.

MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp.

TM S Y M A S The LDAP guys. MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect, OpenLDAP hyc@openldap.org TM S Y M A S The LDAP guys. OpenLDAP Project Open source

1.01k views • 63 slides
Pros and Cons of Hydraulic Fracturing Hydraulic Fracturing is a reality and is not going

Pros and Cons of Hydraulic Fracturing Hydraulic Fracturing is a reality and is not going

Pros and Cons of Hydraulic Fracturing Hydraulic Fracturing is a reality and is not going away; Mostly safe but needs better practices and enhanced regulations; Will alter the entire USA energy economy; and, Excerpts from

473 views • 24 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see

289 views • 8 slides
Relational Access Control with Bivalent Permissions in a Social Web/ Collaboration Architecture

Relational Access Control with Bivalent Permissions in a Social Web/ Collaboration Architecture

Relational Access Control with Bivalent Permissions in a Social Web/ Collaboration Architecture Todd Davies and Mike D. Mintz Symbolic Systems Program Stanford University http://deme.stanford.edu This paper is about access control. But we

267 views • 26 slides
Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal

Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal

Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal Holloway, University of London 7th International Workshop on Security and Trust Management Risk-Aware RBAC Introduction Introduction

604 views • 16 slides
A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

Introduction Overview Detailed Design Evaluation Related Work Conclusion References A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services Chaoshun Zuo, Qingchuan Zhao , Zhiqiang Lin University of Texas at

1.4k views • 103 slides
Differentiated access control Differentiated access control to graph data to graph data

Differentiated access control Differentiated access control to graph data to graph data

Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy:

596 views • 15 slides
IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for Neural Computation (INC), University of California San Diego irods.org, dice.unc.edu, diceresearch.org Outline General Comments What Guarding

210 views • 10 slides
Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise Artificial Intelligence Laboratory (AI-Lab) Security & Trust Research Unit DIST, University of Genova FBK-IRST Genova Trento A. Armando (U.

879 views • 77 slides

More recommend