resource access decision facility overview
play

Resource Access Decision Facility: Overview Konstantin Beznosov - PowerPoint PPT Presentation

Mar 06, 2023 •103 likes •329 views

Resource Access Decision Facility: Overview Konstantin Beznosov Baptist Health Systems of South Florida beznosov@baptisthealth.net DOCsec 99 1 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999 Do You

  1. Resource Access Decision Facility: Overview Konstantin Beznosov Baptist Health Systems of South Florida beznosov@baptisthealth.net DOCsec ‘99 1 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  2. Do You Have Any of the Following: • Systems from different vendors are deployed • Either granularity of access control needs to be fine • Access control policies are complex and relatively dynamic • Free lunch? DOCsec ‘99 2 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  3. Presentation Overview • Why you need Resource Access Decision Facility • Main aspects of RAD specification design • Main design decisions made by RAD submission team • Questions (if time permits) DOCsec ‘99 3 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  4. RAD Trivia • Response to Healthcare Resource Access Control (HRAC) RFP corbamed/98-02-23 • Final response corbamed/99-05-04 • FTF August 1999 • Who did it: - 2AB, IBM, NIST, BHS - With help from: CareFlow|Net, Concept Five, DASCOM, Inc., Inprise, Los Alamos National Laboratory, NSA, Philips Medical Systems, TIS Labs DOCsec ‘99 4 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  5. Why Do You Need Resource Access Decision Facility? DOCsec ‘99 5 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  6. CORBASEC • Versatile • Accommodates most computing environments • Optimized for the most common case • Provides interfaces to applications if their security needs differ from the common case • Do not pay if don’t use DOCsec ‘99 6 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  7. Why RAD? • Access control granularity • Additional factors in authorization decisions • Decoupling authorization logic from application logic DOCsec ‘99 7 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  8. Why RAD: Granularity DOCsec ‘99 8 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  9. Why RAD: Additional Factors • Some Need Authorization Decisions Based on - Standard CORBASEC Access Control Model • Name of interface and operation • Principal id • Principal role • Principal affiliation • ... - Customized implementation of AccessDecision and PrincipalAuthenticator • Time of service request • Location of service requester - Cannot be supported by CORBASEC Access Control Model • Relationship between the requesting principal and the “owner” of the data to be accessed • Values of input arguments on an operation. • Values of results returned from invocation of an operation. DOCsec ‘99 9 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  10. Main Aspects of RAD Specification Design DOCsec ‘99 10 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  11. Users, Clients, Services, RAD C lient s e c i v r U ser e S data and services n access requests o RAD i authorization t requests a c i C lient l p p A U ser DOCsec ‘99 11 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  12. Interaction Between RAD Parts an Application System 6: 1: access_allow ed(R esourceN ame, Operation, AttributeList) an Access D ecision 4: co mbine_decisions(R esourceN ame, O peration, Attribu teList, PolicyEvaluatorList) O bject : AccessD ecision a C ombinator : D ecisionC ombinator 2: get_policy_decision_ev aluators(R esourceN ame) a Locator : Policy Ev aluatorLocator 5: * ev aluate(R esourceN am e, O peration, AttributeList) 3: get_dynam ic_attributes(AttributeList, ResourceN ame, Operation) an Attribute Serv ice : D ynamicAttributeServ ice an E va luator : PolicyEv aluator DOCsec ‘99 12 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  13. RAD Main Parts: Runtime - AccessDecision • one per facility • the facade to the facility and a mediator - DynamicAttributeService • one per facility, can be replace • updates the list of security attributes with dynamic ones - PolicyEvaluatorLocator • one per facility, can be replaced • provides a list of policy evaluators and a combinator for a given authorization request - PolicyEvaluators • one or more per request, dynamically discovered • evaluate policies that they implement and return evaluation result - DecisionCombinator • one per request, dynamically discovered • calls appropriate evaluators and combines decisions from them in one grant/deny. DOCsec ‘99 13 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  14. RAD Main Parts: Administrative <<IDL Interface>> <<IDL Interface>> PolicyEvaluatorLocatorBasicAdmin Access DecisionAdmin set_default_evaluators() get_policy_evaluator_locator() get_default_combinator() set_policy_evaluator_locator() set_default_combinator() get_dynamic_attribute_service() get_default_evaluators() set_dynamic_attribute_service() <<ID L Interface>> Po licyE valuatorL ocatorNa meAdmi n <<ID L Interface>> set_evaluators () P oli cyEvaluato rAd mi n add _evaluators() s et_policies () del ete _evaluators () add_policies () get_evaluators () lis t_policies () set_com binator() s et_default_ policy() de lete_com binator() delete_policies () get_com binator() DOCsec ‘99 14 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  15. Resource and Operation Names • Resource names are for expressing arbitrary resources in the form of a data structures convenient for manipulations. ResourceNameComponent ResourceNamingAuthority ResourceNameComponentList name_string : string value_string[0..1] : string 0..1 0..1 1..* 1..* 1..1 1..1 1..1 1..1 +resource_name_authority +resource_name_component_list 0..1 0..1 0..1 0..1 ResourceName • All access operations are named DOCsec ‘99 15 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  16. Main Design Decisions DOCsec ‘99 16 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  17. Policies and Dynamic Attributes • Policies - No interfaces for expressing authorization policies - Policies and policy engines are encapsulated in CORBA objects and can be supplied by different vendors. • Dynamic Attributes - Request-specific factors in the form of dynamic attributes • CORBASEC + RAD + application service == reference monitor DOCsec ‘99 17 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  18. Grouping Resources and Resource Names • Resource are grouped using resource names • Resource names are grouped using resource name patterns << ID L In te rfa ce >> P oli cyE va lu a to r L oca to rP a tte rn A d m in s e t_ e va lu a to rs _ b y_ p a tte rn () a d d _ e va lu a to rs _ b y_ p a tte rn () d e le te _ e va lu a to rs _ b y_ p a tte rn () g e t_ e va lu a to rs _ b y_ p a tte rn () s e t_ co m b in a to r_ b y_ p a tte rn () d e le te _ co m b in a to r_ b y_ p a tte rn () g e t_ co m b in a to r_ b y_ p a tte rn () re g is te r_ re s o u rce _ n a m e _ p a tte rn () u n re g is te r_ re s o u rce _ n a m e _ p a tte rn () DOCsec ‘99 18 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  19. Accommodates Different Flexibility and Performance Requirements • Neither part of RAD have to be co-located with its clients - Only security attributes are passed, Credentials object is not passed • Everything could be packed in the same process space as the application service, or • Every single part of RAD could be a separate full-blown CORBA object with all bells and whistles. DOCsec ‘99 19 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  20. Design by Contract • Contract between the caller and the callee - Preconditions - Postconditions - Exceptions • Exception is thrown to the RAD client if something goes wrong • Different treatment of run-time and administrative interfaces - Expects input errors and inconsistencies of operation invocations on administrative interfaces. - Assumes that ADO client and all RAD parts are debugged, i.e. has strict preconditions. DOCsec ‘99 20 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

  21. Conclusions • RAD is useful when: - Systems from different vendors are deployed - Either granularity of access control needs to be finer, or - Access control policies are complex and relatively dynamic • Authorization decisions - Made in regards to fine-grain resources - Based on factors specific to the user session, workflow, request • Resource names - Abstract real resources - Could be grouped using patterns DOCsec ‘99 21 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and

Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and

Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and Luis Espinal {beznosov,lespin03}@cs.fiu.edu CADSE October 22, November 5, 1999 Presentation Overview Introduction RAD Specification

263 views • 25 slides
min y i f i + x ij d ij min y i f i + x ij d ij i F i F , j D min y

min y i f i + x ij d ij min y i f i + x ij d ij i F i F , j D min y

Today Facility location Facility Location Linear program relaxation: Set of facilities: F , opening cost f i for facility i Decision Variables. y i - facility i open? Set of clients: D . x ij - client j assigned to facility i . d ij -

60 views • 3 slides
Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure

Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure

Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure Contracts &amp; Management ISO Board of Governors General Session May 1 - 2, 2017 ISO Confidential Issue is allocation of local resource adequacy

92 views • 5 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer

Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer

Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer Obligation Greg Cook Manager, Market Design &amp; Regulatory Policy Board of Governors Meeting General Session March 26-27, 2009 There is significant

747 views • 6 slides
The Solar Resource The Solar Resource Overview Overview of the solar resource in the U.S.

The Solar Resource The Solar Resource Overview Overview of the solar resource in the U.S.

The Solar Resource The Solar Resource Overview Overview of the solar resource in the U.S. Features impacting solar irradiance Latitude, cloud cover, seasonality , , y Converting power to energy Tools to measure solar energy

922 views • 34 slides
Permitting Decision - Fraser Surrey Docks Direct Coal Transfer Facility August 21, 2014

Permitting Decision - Fraser Surrey Docks Direct Coal Transfer Facility August 21, 2014

Permitting Decision - Fraser Surrey Docks Direct Coal Transfer Facility August 21, 2014 portmetrovancouver.com Presentation overview Overview and corporate governance Coal Mandate and project review process Fraser Surrey Docks

313 views • 27 slides
Changing the Conversation Vision Statement The FMCC is the resource and voice for Facility

Changing the Conversation Vision Statement The FMCC is the resource and voice for Facility

ISO 55000 Changing the Conversation Vision Statement The FMCC is the resource and voice for Facility Management Consultants worldwide to leverage our collective expertise to benefit IFMA members, and the Facility Management profession.

680 views • 42 slides
Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water

Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water

Using Natural Resource Wealth to Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water and Sanitation David Doepel Ryan Admiraal Mark McHenry Judy Walls Africa Research Group Murdoch University

248 views • 23 slides
Decision on Iron Point Facility Budget &amp; Financing Steve Berberich Vice President Corporate

Decision on Iron Point Facility Budget &amp; Financing Steve Berberich Vice President Corporate

Decision on Iron Point Facility Budget &amp; Financing Steve Berberich Vice President Corporate Services, Interim Chief Financial Officer and Treasurer ISO Board of Governors Meeting General Session May 18, 2009 The new facility will address

327 views • 10 slides
W BI F Roadm ap I m plem entation W BI F W BI F Overview W BI F Governing Governance Docum

W BI F Roadm ap I m plem entation W BI F W BI F Overview W BI F Governing Governance Docum

W BI F W BI F Roadm ap I m plem entation W BI F W BI F Overview W BI F Governing Governance Docum ents Decision m aking Joint Grant Facility Joint Lending Facility Respective LFI policies and Steering Com m ittee procedures Rules

556 views • 41 slides
Resource Circulation Study in the Pacific Project Pacific Region Infrastructure Facility Project

Resource Circulation Study in the Pacific Project Pacific Region Infrastructure Facility Project

Resource Circulation Study in the Pacific Project Pacific Region Infrastructure Facility Project Scope 1. To identify and quantify the opportunity to improve the resource recovery of 15 recyclable commodities present in the solid waste stream

595 views • 30 slides
Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious

Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious

Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious Settings: Selenium in Appalachian Watersheds Jim Coleman, Chief Scientist, Eastern Energy Team, USGS Ione Taylor, Chief Scientist, Eastern Region,

633 views • 39 slides
Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to

Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to

Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 27-Apr-07 A4.6 Decision Legal obligations Protocol on SEA

314 views • 6 slides
Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource

Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource

Instream Flow Technical Team Meeting - Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource Consultants 11/13/2013 DRAFT SUBJECT TO REVISION 2 Decision Support System - Define Decision:

692 views • 19 slides
Overview of ReA Facility D.J. Morrissey Associate Director of Operations Outline Coupled

Overview of ReA Facility D.J. Morrissey Associate Director of Operations Outline Coupled

Overview of ReA Facility D.J. Morrissey Associate Director of Operations Outline Coupled Cyclotron Facility Operations Perspective WRT ReA beams ReA Accelerator Facility Overview ReA3 complete ReA6 prototype tested ReA12

707 views • 15 slides
Welcome to our first Virtual Progression! This AdobeConnect session is for Scott McCoy The

Welcome to our first Virtual Progression! This AdobeConnect session is for Scott McCoy The

Welcome to our first Virtual Progression! This AdobeConnect session is for Scott McCoy The Mentor Board Scott will begin his session in just a few minutes. Did you want to join Robert Hershenow STC Body of Knowledge (TCBOK) instead? Go to

387 views • 20 slides
information coming from the images of the plasma facing components. Data analysis is Tokamak

information coming from the images of the plasma facing components. Data analysis is Tokamak

FINAL WORKSHOP OF GRID PROJECTS PON RICERCA 2000-2006, AVVISO 1575 1 Applications of imaging analysis to tokamak fusion plasma by ENEA-GRID technologies M. Chinnici 1 , S. Migliori 2 , R. De Angelis 3 , S. Borioni 4 , S. Pierattini 5 1,4

353 views • 4 slides
Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open

Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open

Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open Source Computing Tools IOCS Meeting, Busan South Korea, 9 April 2019 Bruce Monger, bcm3@cornell.edu Department of Earth and Atmospheric Sciences

330 views • 18 slides
Advanced Geospatial Image Processing using Graphics Processing Units Atle Borsholm Ron Kneusel

Advanced Geospatial Image Processing using Graphics Processing Units Atle Borsholm Ron Kneusel

Advanced Geospatial Image Processing using Graphics Processing Units Atle Borsholm Ron Kneusel Exelis Visual Information Solutions Boulder, CO USA Why? Common geospatial image processing algorithms are computationally demanding.

398 views • 15 slides
Practical Aspects of Using RTI Connext DDS in UGV Josef Schrttle Senior Systems Engineer RUAG

Practical Aspects of Using RTI Connext DDS in UGV Josef Schrttle Senior Systems Engineer RUAG

Practical Aspects of Using RTI Connext DDS in UGV Josef Schrttle Senior Systems Engineer RUAG MRO Schweiz RUAG Schweiz AG Munich, May 22nd, 2019 Short History of UGV at RUAG Gecko, 2008 to 2011 Vehicle Gecko, sequential hybrid with four

577 views • 26 slides
H1 2016 Results 1 September 2016 1 FIRST-HALF 2016 HIGHLIGHTS ACQUISITION OF LOGITERS

H1 2016 Results 1 September 2016 1 FIRST-HALF 2016 HIGHLIGHTS ACQUISITION OF LOGITERS

H1 2016 Results 1 September 2016 1 FIRST-HALF 2016 HIGHLIGHTS ACQUISITION OF LOGITERS Revenues STRONG ORGANIC GROWTH +10.1 % At constant exchange rates FIRM COMMERCIAL MOMENTUM SOLID RESULTS 2 1 2 3 FIRST-HALF 2016 FINANCIAL

292 views • 26 slides
Deepwater Horizon Natural Resource Damage Assessment &amp; Restoration Trustee Council Annual

Deepwater Horizon Natural Resource Damage Assessment &amp; Restoration Trustee Council Annual

Deepwater Horizon Natural Resource Damage Assessment &amp; Restoration Trustee Council Annual Public Meeting July 16, 2020 Welcome and Introduction Trustee Council Update Restoration Area Updates Your Comments FLORIDA ALABAMA

955 views • 54 slides
CISSCAL User Guide March 20, 2009 Contents 1 Introduction 3 2 Setting Up the Environment 3

CISSCAL User Guide March 20, 2009 Contents 1 Introduction 3 2 Setting Up the Environment 3

CISSCAL User Guide March 20, 2009 Contents 1 Introduction 3 2 Setting Up the Environment 3 3 Starting CISSCAL and General Layout 4 3.1 Default Options File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

563 views • 15 slides

More recommend