rbacDSL - slides from Code Generation 2014

640 views

Published on

My slides from my talk at Code Generation 2014 in Cambridge, UK.

rbacDSL is a text-based DSL for writing, verifying and correcting RBAC authorisation policies. It produces standard XACML policies that can be used with any XACML evaluation engine.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
640
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

rbacDSL - slides from Code Generation 2014

  1. 1. rbacDSL: a DSL for Role-Based Access Control Lionel Montrieux <lionel.montrieux@open.ac.uk> The Open University, Milton Keynes, UK
  2. 2. Outline • Background and overview (15 min.) • Building an authorisation policy - live demo (20 min.) • Try to think of a good example • Bonus points for funny ones • Current research and future directions (10 min.)
  3. 3. Background
  4. 4. Authentication, Authorisation
  5. 5. RBAC [Sandhu00]
  6. 6. XACML architecture
  7. 7. XACML - Policies • <PolicySet>
 <PolicyCombinationAlgorithm/>
 <Policy>
 <RuleCombinationAlgorithm/>
 <Rule effect=“Permit|Deny”>
 <Target/>
 <Condition/>
 </Rule>
 </Policy>
 </PolicySet>
  8. 8. XACML - Requests • <Request>
 <Subject/>
 <Resource/>
 <Action/>
 <Environment/>
 </Request>
  9. 9. How it started • rbacUML and rbacDSML • OCL constraints • “model smells” • fixing incorrect models • Rational Software Architect 8.0, UML profiles
  10. 10. Scenarios? • Granted: user should be able to perform a list of actions • Forbidden: !Granted • User-Role: role should be assigned to at least one user • Object-Role: role should allow one to perform a list of actions on objects • Object: at least one user should be able to perform an action on an object
  11. 11. Demo time! https://github.com/lmcmontrieux/rbacDSL
  12. 12. Current research and future directions
  13. 13. Current (and past) research • Automated model fixing (the whole model) [Montrieux13] • Adaptive access control - automated reaction to inside threats [Bailey14] • Dynamic access control - in progress
  14. 14. Future directions • Attributes and conditions support • User-specific scenarios • XACML PAP connectors, LDAP connectors • Dynamic access control features • Bidirectional graph transformations
  15. 15. Any questions? email me: lionel.montrieux@open.ac.uk
 get the tool: https://github.com/lmcmontrieux/rbacDSL
  16. 16. References • All publications I co-authored are available on http://oro.open.ac.uk/ view/person/lm25566.html and http://oro.open.ac.uk/view/ person/lmcm5.html • [Sandhu00] Ravi S. Sandhu, David F. Ferraiolo, D. Richard Kuhn: The NIST model for role-based access control: towards a unified standard. ACM Workshop on Role-Based Access Control 2000:47-63 • XACML: eXtensible Access Control Modeling Language - OASIS - https://www.oasis-open.org/committees/tc_home.php? wg_abbrev=xacml • Image on slide 6 re-created from http://www.xacml.info • Images on slides 4 and 15 by J. Hardaway

×