Role-based Access Control June09 GeoSOA Workshop

Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0

Topics
Why Role-based Access Control?
Project Overview
General Scenarios (Disaster & SSO)
Regulatory Demos (w/John, Paul & George)
Best Practices
Questions?

Introduction
Geospatial SOA based on OGC®/ISO influencing Federal Enterprise Architecture (FEA) Geospatial Profile. Efforts have matured to point where broad acceptance is dependent on capacity to secure data resources. Organizations like USACE participating in NSDI must also consider how to establish distributed security frameworks for role-based access control to SOA resources.

Why Role-based Access Control?
Geospatial SOA supporting NSDI, Enterprise GIS, …
Moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud
Transforming into agile frameworks driven by collaborative partnerships

Service Providers Service Consumers Geospatial SOA … Regulatory … Infrastructure … other needs Access Processing Discovery Collaboration Security

Project Participants
US Army Corps of Engineers, Water Resources Institute
CubeWerx USA
The Carbon Project
Collaboration with EPA, Image Matters, Montana Dept of IT, USGS Framework Data Services

Project Scope
Design, deploy and document reusable services and applications for one of the most important (but least understood) areas of Geospatial SOA – Role-based Access Control.
Satisfy multi-agency requirements through modeling business processes and related service components.
Advance technology for regulatory data interoperability between organizations like USACE and EPA.

Project Objectives
Define Best Practices in Geospatial SOA for Role-based Access Control as a key component of USACE and NSDI Business Process requirements.
Leverage CubeWerx’s investment in developing solutions to solve this important security challenge.
Demonstrate capabilities that have value across all application and spatial data stewardship domains, including development of Access Control Rules.
Collaboratively document Best Practices .

Geospatial SOA Access Security Project Design Outreach & Collaboration Scenarios & Business Processes Develop DT&E Lab Document Best Practices Services DT&E Lab

SDI Access Control Service NSDI Data Access Service and SDI Access Control Service WFS WMS SACS Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response Access Control WFS Request

Virtual SACS Other Client SDI Access Control Service NSDI Data Access Service and SDI Access Control Service Other NSDI Service with Virtual SACS WFS WMS SAC WFS WMS SAC Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response WFS Request & Response WFS Request Access Control Federation Fine-grained A ccess C ontr ol Rules : SDI Client : Feature Constraints Geographic Constraints Role-based Contstraints Operations Constaints Access Control

So what does that mean?

Disaster Scenario
Texas Coast Hurricane
Roles
Public User – ‘Jeff’
EOC User – ‘Keith’
NSDI Service Provider – ‘Edric’
Access Control by
Geography
Role
Feature
Service Operation
Island of Galveston Jeff Edric Keith

Geographic Access Control

Geographic Access Control Jeff

Geographic Access Control

EOC Users – Access by Role, Geography, Feature, Operations Public Users – May be limited by Role, Geography, Feature, Operations

Access Control Rules for Cloud-based Services Established by Service Providers

Free Secure SDI client available at www.thecarbonportal.net Feature Level Security Jeff

Feature Level Security Jeff

Feature Level Security Keith

By OGC Operation

Free Secure SDI client available at www.thecarbonportal.net By OGC Operation

Established by Service Providers Access Control Rules for Cloud-based Services

NSDI WFS in DT&E Lab

International Planning Commission reviewing plans for new oil pipeline.
Carry crude oil from western Canada provinces to refineries in US.
Planning Corridor crosses Montana/Saskatchewan border.
Review infrastructure in Planning Corridor & rapidly develop a report.
Single Sign-On Scenario

The following takes place between 10 AM and 10:15 AM… … events happen in real time. Canada US

Keith and Brenda are on the staff of the Commission Keith Brenda Roles

The commission just sent us a package by email Keith Brenda 10:00 AM

OK, let me zoom & connect to the Cross-Border SDI Network 10:00 AM

Got it, lets connect to the Cross-Border SDI Network 10:01 AM

Oops, forget to log-in… 10:01 AM

No problem, I got it, logging in now… Me too, with my account… 10:02 AM

OK, let me zoom & connect to the Cross-Border SDI 10:03 AM

Got it, Montana done… Just got a note, they want gas storage, comm towers in report 10:04 AM

Accessing NRCAN WFS with the single-sign on 10:04 AM

Canada done 10:04 AM

Got it, accessed Montana and NRCAN WFS, done They say add schools to report 10:05 AM

Done… 10:09 AM

NRCan Service* Montana Service* NSDI Data Services CGDI Services SACS with Single Sign-On* Geospatial SOA

Public – demonstrates unprotected access to a subset of data elements on issued permits to all
EPA Region II - demonstrates providing jurisdictional information on Pending Actions to EPA Region II
State of California - demonstrates authenticated access to consistent view of USACE data in State of California, across 3 USACE districts
USFWS Region IV - demonstrates providing permanent wetland impact data to USFWS Region IV
USACE Regulatory Scenarios

Demos illustrate role-based access to USACE regulatory data, using four different scenarios, four roles and four demo users – one Cloud-based Service. Each user belongs to one role – Public : ‘Public’ California : ‘Paul’ EPA Region II : ‘John’ USFWS Region IV : ‘George’ (the password for each user is the same as the username) Each role's access rules demonstrates a different spatial & non-spatial filter (details for each scenario appear in the bottom panel). USACE Regulatory Demos

USACE Public Scenario

USACE - California Scenario

USACE-EPA Region II Scenario

USFWS Region IV Scenario

USACE - California Rules

Questions on Demos?

Before – Many Roles, Many Services Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS

Datastore HTTPS SACS WFS WMS SDI Access Control Rules After – Many Roles, One Service

USACE Data Provider Portal Provider Security Manager NSDI Data Provider USACE End User NSDI End User (Public) Manage Users Manage Roles Manage Credentials Manage Groups Manage SDI Access Control Rules Authorize Users Access by Feature Access by Role Deploy Data Access by Geography Update by Feature Update by Role Update by Operation Type Access by Operation Type Use Cases… NSDI End User (Govt)

SDI Access Control Rules
SACR - an XML file that defines SDI Access Control Rules.
SDI Access Control Service applies these rules when someone tries to access data or services under its control.
XACML/geoXACML is a standard for expressing access control rules in XML.
SACR is a simple, functional subset of XACML/geoXACML - specifically focused on the requirements of OGC SDI (WMS, WFS, WCS, GSS, CS-W, etc.).
May be beneficial for this type of simple Access Control Rules encodings to advance for NSDI.

User Relying Party Identity Provider Relying Party Identity Provider Security Token Service WS-SecurityPolicy Security Token Service WS-SecurityPolicy Identity Selector SDI Access Control Rules (SACR) Framework… WS-Trust, WS-MetadataExchange Kerberos SAML SACS X.509

Level of Maturity and Implementation
The referenced SOA/Cloud solutions are mature and viable, suitable for deployment in a governmental computing environment – either internally or via Cloud.
Services, Web-based and Desktop Clients have been deployed in multiple operational settings – and are effective for Role-based Access Control.
Greatest challenge may not be the technical solution –
May be identifying specific Access Control Rules in coordination with multiple stakeholders – this challenge can be overcome, it is only a matter of working collaboratively to define them.
In addition, importing and adapting Roles from existing databases takes Enterprise commitment
Education to help stakeholders realize it is not “all or nothing”

Project Deliverables
Distributed DT&E Lab
Working Services, candidate Schemas
Web-based and Desktop Clients
Processes and Use Cases
Best Practices
Web-based Demos for NSDI Community

Questions?

Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0

Role-based Access Control June09 GeoSOA Workshop

by Carbon Project on Aug 03, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 40

Statistics

Role-based Access Control June09 GeoSOA Workshop — Presentation Transcript

http://carboncloud.blogspot.com	35
http://www.slideshare.net	5