The Roles Database
Download
Report
Transcript The Roles Database
The SHANDS UF PORTAL
A Practical Approach for Web
Portal Security Using Roles, Rules,
Directories, and all that Stuff
The Roles Database
What is a roles database?
The Roles Database
What is a roles database?
A roles database is a mechanism
used to assign a user access to
data or applications.
The Roles Database
What is a roles database?
Access control information for an
enterprise should be hosted
centrally, and made available to
remote applications as needed.
(1)
The Roles Database
What is a roles database?
The Roles data model must be
based on a robust design to enable
extension and customization.
(2)
The Roles Database
What is a roles database?
Roles should be thought of as a
core service that other applications
will use, much like LDAP or DNS.
(2)
The Roles Database
What is a roles database?
Group
Users
User
Group Role
Group
Role
Group
Role Perm
Role
The UF data model.
Permission
The Roles Database
What is a roles database?
A typical implementation: assign a
set of permissions to a group
and role and then associate many
users with the group and role…
The Roles Database
What is a roles database?
…in other words,
who can do what to which data.
The Roles Database
What is a roles database?
Permission group role relationships
tend to be very stable while user
group role relationships change
often.
The Roles Database
What is a roles database?
Permissions groups and roles
should be centrally administrated
because they define organizational
security policy.
The Roles Database
What is a roles database?
Associating users with groups and
roles should be de-centralized.
Local administrators are familiar
with employees and their functions.
The Roles Database
What is a role?
Role
The Roles Database
What is a role?
It depends who you talk to.
Different dialects express similar
concepts.
The Roles Database
What is a role?
In our model, a role defines a
functional entity– e.g., “a sales
manager”.
The Roles Database
What is a group?
Group
The Roles Database
What is a group?
A group is a logical way of
combining and managing roles
across a distributed enterprise.
The Roles Database
What is a group?
In our model, a group defines an
organizational entity– e.g., “east
region”.
The Roles Database
Combining groups and roles
Group
Group
Role
Role
The Roles Database
Combining groups and roles
A group and role are combined to
provide very granular security
across a distributed enterprise.
Here are a couple scenarios.
The Roles Database
Group West
Role Manager
Group East
Role Manager
A national company might have a
regional manager for its two
divisions…
The Roles Database
Group West
Role Manager
Group East
Role Manager
…each associated with a group
defined to have a permission to
access only to their own data…
The Roles Database
Group West
Role Manager
Group East
Role Manager
…while the national sales manager,
being associated with both groups,
has permission to access both.
The Roles Database
The data model
supports
inheritance ...
Group EastWest
Role Manager
Group West
Role Manager
Group East
Role Manager
The Roles Database
What are rules?
The Roles Database
What are rules?
Rules define corporate security
policy and should be stored once
and shared with other applications.
Basically rules modify permissions.
The Roles Database
What are rules?
The Group Role
Permissions
table stores access
control rules.
Group
Group
Role
Role
Group
Role Perm
Perm
The Roles Database
What are rules?
Storing rules at the group role
permission level means that
security can be different across
groups with the same role...
The Roles Database
What are rules?
...Shands at UF doctors will have
different permissions and/or
different rules than doctors at other
Shands hospitals.
The Roles Database
What are rules?
Storing rules at the group role
permission level also means that
security will be consistent within
the group role...
The Roles Database
What are rules?
…the rules and permissions will be
the same for all Shands at UF
doctors.
The Roles Database
How are rules implemented?
The Roles Database
How are rules implemented?
Access control
rules are stored
in XACML format
an emerging W3C
standard.
The Roles Database
How are rules implemented?
It takes data and process together
to define and implement a rule so
XACL rules are interpreted by
subroutines (objects).
The Roles Database
How are rules implemented?
For example: A permission may be
associated with multiple groups
and roles...
The Roles Database
How are rules implemented?
Loop through user/group/role
Call security object
If OK say yes
End Loop
The Roles Database
How are rules implemented?
Rules and User/Group/Role
associations never change they can
only expire. Use an effective
timestamp and expire timestamp.
The Roles Database
What is a context?
The Roles Database
What is a context?
Users
User
Group Role
Group
Role
A user is
associated with
one (or more)
User Group
Role.
The Roles Database
Users
User
Group Role
Group
Role
A practicing
physician might
also be a an
administrator...
The Roles Database
Users
User
Group Role
Group
Role
…so she is
associated with
two User
Group Roles.
The Roles Database
Her portal
functions are
driven by her
user group roles.
Tabs for each context
Menus are driven by Roles
The Roles Database
If she leaves her administrative
position, her administrative security
would expire.
The Roles Database
Her Administrator context would be
unavailable to her; her Care Provider
menus, preferences, and permissions
would not be affected.
The Roles Database
What about profiles?
The Roles Database
What about profiles?
Profiles allow a user to customize an
application to suit their own personal
preferences.
The Roles Database
What about profiles?
Users
User
Group Role
Group
Role
Profiles are
stored at the
User Group
Role level...
The Roles Database
What about profiles?
…as XML to be
easily shared
with other
applications.
The Roles Database
Where are profiles kept?
The Roles Database
What about profiles?
Since profiles are kept at user group
role level, preferences in one role
may be different from preferences in
a another role.
The directory
The Directory data model.
The directory
Name
Address
Phone
Identifier
Entity
Relationship
eMail
Access
key uuid
Extension
The directory
The Directory data model
This is the meta Directory or the
canonical source. Ultimately it must
be the repository of all entities and
feed other applications and LDAP.
The directory
The Directory data model
A Directory Entity
has two subtypes:
person and
organization...
Entity
key uuid
Person
Organization
The directory
The Directory data model
New subtypes can
be created as
required.
Entity
key uuid
New Type
New Type
The directory
The Directory data model
The Relationship table is
one of the more interesting
tables. It associates two
directory entities…
Entity
key uuid
Relationship
The directory
The Directory data model
...person works-for
organization is a simple
example. Policy must dictate
valid relationships.
Person
Organization
The directory
The Directory data model
The Extension table is a
CLOB that holds additional
info in XML or other
format...
Extension
The directory
The Directory data model
<PROFILE>
<MEDIC>
<CONTEXT>Administrator </CONTEXT>
</MEDIC>
</PROFILE>
The directory
The Directory data model
The Access table tracks
computer accounts.
Access
The directory
The Directory data model
The rest are fairly standard - address,
name, email and etc. All have a one
to many relationship to Entity and
support multiple types.
The directory
The Directory data model
The directory is populated by batch
at this time and is fed from other
sources but we must turn that around
quickly.
A Portal Application
A group role application.
A Portal Application
A group role application.
The calendar is a
group role aware
portal
application.
A Portal Application
A group role application.
Different calendars will show up in
different contexts based upon a
user’s profile data.
A Portal Application
A group role application.
There are many more group role
aware applications in our portal
including customizable patient lists
for doctors.
The Shands Uf portal
Review
The roles
access control rules
The directory
relationships between entities
The Roles Database
Questions?
The Roles Database
Thank you!
The Roles Database
Sources
1.
“The Roles Database at the Massachusetts Institute of Technology”,
presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999
http://www.educause.edu/ir/library/html/edu9942/edu9942.html
2.
“Roles”, PowerPoint presentation by Ward Wilson, University of Florida
DBA, 2002.
3.
OASIS XML-based Access Control Markup Language (XACML)
http://www.oasis-open.org/committees/docs
The Roles Database
Acknowledgments
1.
Thanks to Michael Lucas for preparing the first draft and providing the
design and layout for this presentation