• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Role-based Access Control June09 GeoSOA Workshop
 

Role-based Access Control June09 GeoSOA Workshop

on

  • 3,429 views

Overview of Role-based Access Control project for 2009 Geospatial SOA and Cloud Computing Workshop

Overview of Role-based Access Control project for 2009 Geospatial SOA and Cloud Computing Workshop

Statistics

Views

Total Views
3,429
Views on SlideShare
3,368
Embed Views
61

Actions

Likes
0
Downloads
0
Comments
0

13 Embeds 61

http://carboncloud.blogspot.com 42
http://www.slideshare.net 5
http://www.slashdocs.com 3
http://carboncloud.blogspot.tw 2
http://carboncloud.blogspot.mx 1
http://carboncloud.blogspot.nl 1
http://carboncloud.blogspot.ch 1
http://carboncloud.blogspot.com.es 1
http://carboncloud.blogspot.kr 1
http://carboncloud.blogspot.co.il 1
http://carboncloud.blogspot.se 1
http://carboncloud.blogspot.it 1
http://carboncloud.blogspot.com.br 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Role-based Access Control June09 GeoSOA Workshop Role-based Access Control June09 GeoSOA Workshop Presentation Transcript

    • Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0
    • Topics
      • Why Role-based Access Control?
      • Project Overview
      • General Scenarios (Disaster & SSO)
      • Regulatory Demos (w/John, Paul & George)
      • Best Practices
      • Questions?
    • Introduction
      • Geospatial SOA based on OGC®/ISO influencing Federal Enterprise Architecture (FEA) Geospatial Profile. Efforts have matured to point where broad acceptance is dependent on capacity to secure data resources. Organizations like USACE participating in NSDI must also consider how to establish distributed security frameworks for role-based access control to SOA resources.
    • Why Role-based Access Control?
      • Geospatial SOA supporting NSDI, Enterprise GIS, …
      • Moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud
      • Transforming into agile frameworks driven by collaborative partnerships
    • Service Providers Service Consumers Geospatial SOA … Regulatory … Infrastructure … other needs Access Processing Discovery Collaboration Security
    • Project Participants
      • US Army Corps of Engineers, Water Resources Institute
      • CubeWerx USA
      • The Carbon Project
      • Collaboration with EPA, Image Matters, Montana Dept of IT, USGS Framework Data Services
    • Project Scope
      • Design, deploy and document reusable services and applications for one of the most important (but least understood) areas of Geospatial SOA – Role-based Access Control.
      • Satisfy multi-agency requirements through modeling business processes and related service components.
      • Advance technology for regulatory data interoperability between organizations like USACE and EPA.
    • Project Objectives
      • Define Best Practices in Geospatial SOA for Role-based Access Control as a key component of USACE and NSDI Business Process requirements.
      • Leverage CubeWerx’s investment in developing solutions to solve this important security challenge.
      • Demonstrate capabilities that have value across all application and spatial data stewardship domains, including development of Access Control Rules.
      • Collaboratively document Best Practices .
    • Geospatial SOA Access Security Project Design Outreach & Collaboration Scenarios & Business Processes Develop DT&E Lab Document Best Practices Services DT&E Lab
    • SDI Access Control Service NSDI Data Access Service and SDI Access Control Service WFS WMS SACS Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response Access Control WFS Request
    • Virtual SACS Other Client SDI Access Control Service NSDI Data Access Service and SDI Access Control Service Other NSDI Service with Virtual SACS WFS WMS SAC WFS WMS SAC Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response WFS Request & Response WFS Request Access Control Federation Fine-grained A ccess C ontr ol Rules : SDI Client : Feature Constraints Geographic Constraints Role-based Contstraints Operations Constaints Access Control
    • So what does that mean?
    • Disaster Scenario
      • Texas Coast Hurricane
      • Roles
        • Public User – ‘Jeff’
        • EOC User – ‘Keith’
        • NSDI Service Provider – ‘Edric’
      • Access Control by
        • Geography
        • Role
        • Feature
        • Service Operation
      Island of Galveston Jeff Edric Keith
    • Geographic Access Control
    • Geographic Access Control
    • Geographic Access Control Jeff
    • Geographic Access Control Jeff
    • Geographic Access Control Jeff
    • Geographic Access Control Jeff
    • Geographic Access Control Jeff
    • Geographic Access Control
    • Geographic Access Control
    • Geographic Access Control
    • EOC Users – Access by Role, Geography, Feature, Operations Public Users – May be limited by Role, Geography, Feature, Operations
    • Access Control Rules for Cloud-based Services Established by Service Providers
    • Free Secure SDI client available at www.thecarbonportal.net Feature Level Security Jeff
    • Feature Level Security Jeff
    • Feature Level Security Keith
    • Feature Level Security Keith
    • By OGC Operation
    • By OGC Operation
    • By OGC Operation
    • By OGC Operation
    • Free Secure SDI client available at www.thecarbonportal.net By OGC Operation
    • Established by Service Providers Access Control Rules for Cloud-based Services
    • NSDI WFS in DT&E Lab
      • International Planning Commission reviewing plans for new oil pipeline.
      • Carry crude oil from western Canada provinces to refineries in US.
      • Planning Corridor crosses Montana/Saskatchewan border.
      • Review infrastructure in Planning Corridor & rapidly develop a report.
      Single Sign-On Scenario
    • The following takes place between 10 AM and 10:15 AM… … events happen in real time. Canada US
    • Keith and Brenda are on the staff of the Commission Keith Brenda Roles
    • The commission just sent us a package by email Keith Brenda 10:00 AM
    • OK, let me zoom & connect to the Cross-Border SDI Network 10:00 AM
    • Got it, lets connect to the Cross-Border SDI Network 10:01 AM
    • Oops, forget to log-in… 10:01 AM
    • No problem, I got it, logging in now… Me too, with my account… 10:02 AM
    • OK, let me zoom & connect to the Cross-Border SDI 10:03 AM
    • Got it, Montana done… Just got a note, they want gas storage, comm towers in report 10:04 AM
    • Accessing NRCAN WFS with the single-sign on 10:04 AM
    • Canada done 10:04 AM
    • Got it, accessed Montana and NRCAN WFS, done They say add schools to report 10:05 AM
    • Done… 10:09 AM
    • NRCan Service* Montana Service* NSDI Data Services CGDI Services SACS with Single Sign-On* Geospatial SOA
      • Public – demonstrates unprotected access to a subset of data elements on issued permits to all
      • EPA Region II - demonstrates providing jurisdictional information on Pending Actions to EPA Region II
      • State of California - demonstrates authenticated access to consistent view of USACE data in State of California, across 3 USACE districts
      • USFWS Region IV - demonstrates providing permanent wetland impact data to USFWS Region IV
      USACE Regulatory Scenarios
    • Demos illustrate role-based access to USACE regulatory data, using four different scenarios, four roles and four demo users – one Cloud-based Service. Each user belongs to one role – Public : ‘Public’ California : ‘Paul’ EPA Region II : ‘John’ USFWS Region IV : ‘George’ (the password for each user is the same as the username) Each role's access rules demonstrates a different spatial & non-spatial filter (details for each scenario appear in the bottom panel). USACE Regulatory Demos
    • USACE Public Scenario
    • USACE - California Scenario
    • USACE-EPA Region II Scenario
    • USFWS Region IV Scenario
    • USACE - California Rules
    • USACE - California Rules
    • USACE - California Rules
    • Questions on Demos?
    • Before – Many Roles, Many Services Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS
    • Datastore HTTPS SACS WFS WMS SDI Access Control Rules After – Many Roles, One Service
    • USACE Data Provider Portal Provider Security Manager NSDI Data Provider USACE End User NSDI End User (Public) Manage Users Manage Roles Manage Credentials Manage Groups Manage SDI Access Control Rules Authorize Users Access by Feature Access by Role Deploy Data Access by Geography Update by Feature Update by Role Update by Operation Type Access by Operation Type Use Cases… NSDI End User (Govt)
    • SDI Access Control Rules
      • SACR - an XML file that defines SDI Access Control Rules.
      • SDI Access Control Service applies these rules when someone tries to access data or services under its control.
      • XACML/geoXACML is a standard for expressing access control rules in XML.
      • SACR is a simple, functional subset of XACML/geoXACML - specifically focused on the requirements of OGC SDI (WMS, WFS, WCS, GSS, CS-W, etc.).
      • May be beneficial for this type of simple Access Control Rules encodings to advance for NSDI.
    • User Relying Party Identity Provider Relying Party Identity Provider Security Token Service WS-SecurityPolicy Security Token Service WS-SecurityPolicy Identity Selector SDI Access Control Rules (SACR) Framework… WS-Trust, WS-MetadataExchange Kerberos SAML SACS X.509
    • Level of Maturity and Implementation
      • The referenced SOA/Cloud solutions are mature and viable, suitable for deployment in a governmental computing environment – either internally or via Cloud.
      • Services, Web-based and Desktop Clients have been deployed in multiple operational settings – and are effective for Role-based Access Control.
      • Greatest challenge may not be the technical solution –
        • May be identifying specific Access Control Rules in coordination with multiple stakeholders – this challenge can be overcome, it is only a matter of working collaboratively to define them.
        • In addition, importing and adapting Roles from existing databases takes Enterprise commitment
        • Education to help stakeholders realize it is not “all or nothing”
    • Project Deliverables
      • Distributed DT&E Lab
      • Working Services, candidate Schemas
      • Web-based and Desktop Clients
      • Processes and Use Cases
      • Best Practices
      • Web-based Demos for NSDI Community
    • Questions?
    • Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0