ppt - Common Solutions Group

Download Report

Transcript ppt - Common Solutions Group 

MIT ROLES DB
CSG, May 2004
Previous Presentations
• Talk given by Jim Repa at EDUCAUSE
Conference (Long Beach, CA, Oct. 29, 1999)
– http://web.mit.edu/rolesdb/www/educause/educause.
html
• Talk given by Jim Repa to Common Solutions
Group (Chicago, Sept. 18, 1998)
– http://web.mit.edu/rolesdb/www/csg/csg.html
• Slides from Jim Repa's presentation of October
7, 1997
http://web.mit.edu/is/integration/presentation
s/roles_10071997/
A new perspective
• The MIT ROLES database is not a Roles
Based Access Control (RBAC) system
• It is a meta-authorization management
system
• An RBAC system could be built using the
MIT ROLES system
Characteristics
• Applications and services do not query or
update ROLES in real time.
• Data is extracted from the database and
transformed into native, legacy, format for
consumption
• We do not define a “role” that is then
applied to a number of users
• Roles does provide for inheritance of
authorizations
A Reminder
• An Authorization = PERSON + FUNCTION
+ QUALIFIER
• But the system also provides for starting
and ending dates
• In the future, an Authorization = object +
FUNCTION +QUALIFIER
The ROLES DB can be used to
form
•
•
•
•
•
Tables in other databases
Access Control Lists
LDAP groups
LDAP attributes
or populating configuration files such as
.k5login
• It could even be used to help formulate
policies within rule based systems.
Obstacles to usage
• Current access is via SQL*NET and
Oracle
• No APIs to ease access from native code
• Benefits accrue to departmental
administrators
• Benefits do not accrue to system
developers, system integrators, most of
central IS&T
Another obstacle
• No support for real-time or programmatic
updates of qualifiers
• There are OKI OSIDs to address this issue
but they have only been used against a
test instance at this time
Systems using ROLES in
production
•
•
•
•
•
•
•
•
•
SAP financials
Data Warehouse
Human Resource systems
NIMBUS budget system
Graduate Admissions
MIT ID database
access to student information in data warehouse
Environmental Health and Safety
miscellaneous administration tasks
Notable systems not using ROLES
at this time
•
•
•
•
•
•
•
•
•
•
•
•
•
AFS PTS
Moira
web publication
OCW
central Active Directory
Help desk tools including Casetracker, RT, Stock Answers and OLC
Stellar
any Library systems
COEUS
Student Information Systems
MIT Events Calendar
TechTime (Corporate Time)
access to buildings, parking lots, machine rooms, hazardous labs,
Some Statistics
• The number of authorization functions defined:
185
• The number of individual authorizations currently
defined: 63997
• The number of authorizations that have defined
boundary dates: 1159, of these 980 created by
department of Dean for Student Life
• The number of AFS and NFS groups defined in
Moira: 20955
• The number of other ACLs defined in Moira:
43215