The document discusses access control and role-based access control (RBAC) models. It describes the core components of RBAC including users, roles, permissions, and role hierarchies. RBAC assigns system access based on a user's role within an organization and restricts access to authorized users. The document outlines how RBAC can be implemented in a small company and used to define roles for network devices, applications, and systems to enforce access controls and facilitate auditing.
This document discusses role-based access control (RBAC) and provides examples of implementing RBAC in Perl applications. It begins with definitions of authentication and authorization. It then covers authentication processes, examples of authentication modules for Perl, and how to implement authentication sessions. The document discusses different types of authorization, including simple, lattice-based access control and RBAC. It provides an example of a simple authorization module for Catalyst and an example CPAN module for lattice-based access control. A significant portion of the document is dedicated to explaining RBAC in depth, including academic papers on RBAC, emerging standards, existing security implementations using RBAC, and Perl implementations of RBAC. It provides examples of RBAC design and implementation.
The document discusses web authentication and authorization. It introduces various authentication threats and technologies like usernames/passwords, one-time passwords, and Kerberos. It also discusses authentication attacks like brute force attacks and weak password recovery validation. The document then covers authentication techniques and infrastructures such as pluggable authentication modules and secure sockets layer. Finally, it discusses web authentication standards including single sign-on, OAuth, and OpenID.
Rumbaugh's Object Modeling Technique (OMT) is an object-oriented analysis and design methodology. It uses three main modeling approaches: object models, dynamic models, and functional models. The object model defines the structure of objects in the system through class diagrams. The dynamic model describes object behavior over time using state diagrams and event flow diagrams. The functional model represents system processes and data flow using data flow diagrams.
This document summarizes Microsoft's Windows 10 enterprise solution. It highlights key features such as intelligent security that provides a unified endpoint security platform with automatic threat remediation. It also discusses simplified updates through Windows as a service model with two feature updates per year. Additionally, it outlines enhanced productivity tools for collaboration and flexible management options including cloud, hybrid and on-premises deployment. Case studies are provided on how organizations like the US Department of Defense, Kimberly-Clark, Dell and Mars have benefited from Windows 10.
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
Attribute-Based access control (ABAC) is the current state-of-practice model to express access rules in terms of attributes of subjects, resources, actions and the environment. In industry, ABAC is becoming the general methodology for managing access in IT applications. In the first part of this talk, we go into detail on how attributes can express different access control concepts. In the second part of the talk, we discuss how ABAC is used as a model for access control management to align access rules with business processes via a wide variety of domain-specific access control concepts.
The document discusses cloud computing security. It begins with an introduction to cloud computing that defines it and outlines its characteristics, service models, and deployment models. It then discusses common security concerns and attacks in cloud computing like DDoS attacks, side channel attacks, and attacks on management consoles. It provides best practices for different security domains like architecture, governance, compliance, and data security. It also discusses current industry initiatives in cloud security.
This document discusses role-based access control (RBAC) and provides examples of implementing RBAC in Perl applications. It begins with definitions of authentication and authorization. It then covers authentication processes, examples of authentication modules for Perl, and how to implement authentication sessions. The document discusses different types of authorization, including simple, lattice-based access control and RBAC. It provides an example of a simple authorization module for Catalyst and an example CPAN module for lattice-based access control. A significant portion of the document is dedicated to explaining RBAC in depth, including academic papers on RBAC, emerging standards, existing security implementations using RBAC, and Perl implementations of RBAC. It provides examples of RBAC design and implementation.
The document discusses web authentication and authorization. It introduces various authentication threats and technologies like usernames/passwords, one-time passwords, and Kerberos. It also discusses authentication attacks like brute force attacks and weak password recovery validation. The document then covers authentication techniques and infrastructures such as pluggable authentication modules and secure sockets layer. Finally, it discusses web authentication standards including single sign-on, OAuth, and OpenID.
Rumbaugh's Object Modeling Technique (OMT) is an object-oriented analysis and design methodology. It uses three main modeling approaches: object models, dynamic models, and functional models. The object model defines the structure of objects in the system through class diagrams. The dynamic model describes object behavior over time using state diagrams and event flow diagrams. The functional model represents system processes and data flow using data flow diagrams.
This document summarizes Microsoft's Windows 10 enterprise solution. It highlights key features such as intelligent security that provides a unified endpoint security platform with automatic threat remediation. It also discusses simplified updates through Windows as a service model with two feature updates per year. Additionally, it outlines enhanced productivity tools for collaboration and flexible management options including cloud, hybrid and on-premises deployment. Case studies are provided on how organizations like the US Department of Defense, Kimberly-Clark, Dell and Mars have benefited from Windows 10.
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
Attribute-Based access control (ABAC) is the current state-of-practice model to express access rules in terms of attributes of subjects, resources, actions and the environment. In industry, ABAC is becoming the general methodology for managing access in IT applications. In the first part of this talk, we go into detail on how attributes can express different access control concepts. In the second part of the talk, we discuss how ABAC is used as a model for access control management to align access rules with business processes via a wide variety of domain-specific access control concepts.
The document discusses cloud computing security. It begins with an introduction to cloud computing that defines it and outlines its characteristics, service models, and deployment models. It then discusses common security concerns and attacks in cloud computing like DDoS attacks, side channel attacks, and attacks on management consoles. It provides best practices for different security domains like architecture, governance, compliance, and data security. It also discusses current industry initiatives in cloud security.
This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.
Defines a framework for authentication service using the X.500 directory.It is the Repository of public-key certificates,Based on use of public-key cryptography and digital signatures.
The document provides an overview of Amazon EC2, including:
- AWS concepts like regions, availability zones, and instance types
- Storage options like EBS, S3, and instance store
- Networking options like VPC, subnets, and load balancers
- Monitoring tools like CloudWatch and how to set up alarms
- Security measures like IAM roles and encryption
- Deployment options including AMIs, auto scaling, and CodeDeploy
This document outlines various artifact sets produced during the software engineering process, including requirement, design, implementation, deployment, test, and management artifacts. It discusses the artifacts in each set and how they evolve over the software lifecycle. The key artifact sets are the requirement set containing the engineering context, the design set representing different abstraction levels, the implementation set with source code, and the deployment set for delivering the software to users. Test artifacts must also be developed concurrently and documented similarly. Management artifacts include documents for planning, tracking status and releases, and defining the development environment.
The document discusses identity and access management (IAM). It outlines common IAM problems like weak passwords, password sharing, and lack of single sign-on. The presentation then discusses how IAM solutions can provide benefits like improved user experience through single sign-on, enhanced integration across systems, centralized administration to reduce costs, and increased security. Critical success factors for IAM projects include identifying business champions, thorough vendor analysis, defining requirements, understanding product features, and ensuring business support.
This document discusses software project management artifacts. Artifacts are organized into management and engineering sets. The management set includes artifacts like the work breakdown structure, business case, and software development plan. The engineering set includes requirement, design, implementation, and deployment artifact sets. Each set captures information through various notations and tools to manage the software development lifecycle.
This low level design document outlines the tax payer registration functionality with details of the navigation flow, UI implementation, client and server side validations, components design, data design with key tables and access levels, and testing approach. It provides developers with a reference to develop the system with minimal effort.
This document discusses deploying infrastructure as a service (IaaS) using Eucalyptus. Eucalyptus is an open-source software platform that provides IaaS and enables on-premise private clouds. It uses existing infrastructure to create a scalable, secure web services layer for compute, network and storage. The architecture of Eucalyptus includes a Cloud Controller, Cluster Controllers, Storage Controller, and Node Controllers that manage VM execution and network scheduling. Eucalyptus can dynamically scale resources based on application workloads. The document discusses using Ubuntu 12.04 on the Eucalyptus front-end and Xen as the underlying hypervisor on backend nodes.
The document discusses the Lightweight Directory Access Protocol (LDAP) which provides a method for accessing and updating directory services based on the X.500 model. It describes LDAP's lightweight alternative approach compared to X.500, how information is structured and named in an LDAP directory, the functional operations that can be performed, security considerations, and how the protocol is encoded for transmission.
Non-functional requirements describe how a system will operate rather than what it will do. They include qualities like usability, reliability, performance, and supportability. Usability measures how easy a system is to use, learn, and adapt to user needs. Reliability refers to the likelihood of failures and is measured by metrics like mean time between failures. Performance requirements specify the system's efficiency and response times. Supportability involves how easily a system can be maintained, internationalized, and adapted to changes.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
The document discusses different types of virtualization including hardware, network, storage, memory, software, data, and desktop virtualization. Hardware virtualization includes full, para, and partial virtualization. Network virtualization includes internal and external virtualization. Storage virtualization includes block and file virtualization. Memory virtualization enhances performance through shared, distributed, or networked memory that acts as an extension of main memory. Software virtualization allows guest operating systems to run virtually. Data virtualization manipulates data without technical details. Desktop virtualization provides remote access to work from any location for flexibility and data security.
Cloud computing provides convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. It provides an abstraction between computing resources and their underlying technical architecture, enabling flexible network access.
Azure AD & Azure AD B2C provide identity and access management services. Azure AD is primarily for enterprise use, allowing single sign-on for Office 365, Azure, and other cloud services. It offers features like multi-factor authentication, application access control, and on-premises Active Directory synchronization. Azure AD B2C is designed more for consumer-facing apps and allows fully customizable login experiences and identity providers like social accounts and local usernames. Both services provide user management and authentication capabilities for applications.
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
1. AWS (Amazon Web Services) is a cloud computing platform that provides scalable computing, storage, database, and application services.
2. AWS offers advantages like eliminating the need to purchase and maintain physical hardware, ability to scale instantly, and pay only for resources used.
3. Key AWS services include compute, storage, databases, networking, and security services like EC2, S3, RDS, VPC, and IAM.
4. AWS has a global infrastructure of data centers across 26 regions for fault tolerance and low latency access worldwide.
Squid Proxy Server on RHEL introduces Squid, a free and open-source proxy server software that provides caching, authentication, bandwidth management, and web filtering capabilities. It discusses configuring Squid on Red Hat Linux including installing packages, editing configuration files, starting services, and testing the proxy functionality. Browser and client settings are also covered to allow systems to route traffic through the Squid proxy server.
Implementing role based access control on Web Application (sample case)Deny Prasetia
This document discusses implementing role-based access control (RBAC) on a web application. It begins by defining access control and RBAC. It then examines different approaches to access control, including level-based, user-based, role-based, and responsibility-based. For the project, it recommends a role-based or responsibility-based approach using tables to define users, roles, tasks, and permissions to allow restricting access based on a user's role(s). It also discusses designing this as a draft and considering requirements to control data updates based on user roles.
This document is intended to introduce readers to role based access control (RBAC), as applied to large numbers of users and multiple IT systems. It is organized into five distinct parts:
1. Development of RBAC concepts from a simple model to a complex but realistic privilege management infrastructure.
2. Business drivers to motivate organizations to use an RBAC system to manage security privileges.
3. Process for deploying RBAC into an organization.
4. Maintenance tasks for keeping a deployed RBAC system functioning smoothly.
5. Organizational impact of the deployment project and of the running RBAC system.
This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.
Defines a framework for authentication service using the X.500 directory.It is the Repository of public-key certificates,Based on use of public-key cryptography and digital signatures.
The document provides an overview of Amazon EC2, including:
- AWS concepts like regions, availability zones, and instance types
- Storage options like EBS, S3, and instance store
- Networking options like VPC, subnets, and load balancers
- Monitoring tools like CloudWatch and how to set up alarms
- Security measures like IAM roles and encryption
- Deployment options including AMIs, auto scaling, and CodeDeploy
This document outlines various artifact sets produced during the software engineering process, including requirement, design, implementation, deployment, test, and management artifacts. It discusses the artifacts in each set and how they evolve over the software lifecycle. The key artifact sets are the requirement set containing the engineering context, the design set representing different abstraction levels, the implementation set with source code, and the deployment set for delivering the software to users. Test artifacts must also be developed concurrently and documented similarly. Management artifacts include documents for planning, tracking status and releases, and defining the development environment.
The document discusses identity and access management (IAM). It outlines common IAM problems like weak passwords, password sharing, and lack of single sign-on. The presentation then discusses how IAM solutions can provide benefits like improved user experience through single sign-on, enhanced integration across systems, centralized administration to reduce costs, and increased security. Critical success factors for IAM projects include identifying business champions, thorough vendor analysis, defining requirements, understanding product features, and ensuring business support.
This document discusses software project management artifacts. Artifacts are organized into management and engineering sets. The management set includes artifacts like the work breakdown structure, business case, and software development plan. The engineering set includes requirement, design, implementation, and deployment artifact sets. Each set captures information through various notations and tools to manage the software development lifecycle.
This low level design document outlines the tax payer registration functionality with details of the navigation flow, UI implementation, client and server side validations, components design, data design with key tables and access levels, and testing approach. It provides developers with a reference to develop the system with minimal effort.
This document discusses deploying infrastructure as a service (IaaS) using Eucalyptus. Eucalyptus is an open-source software platform that provides IaaS and enables on-premise private clouds. It uses existing infrastructure to create a scalable, secure web services layer for compute, network and storage. The architecture of Eucalyptus includes a Cloud Controller, Cluster Controllers, Storage Controller, and Node Controllers that manage VM execution and network scheduling. Eucalyptus can dynamically scale resources based on application workloads. The document discusses using Ubuntu 12.04 on the Eucalyptus front-end and Xen as the underlying hypervisor on backend nodes.
The document discusses the Lightweight Directory Access Protocol (LDAP) which provides a method for accessing and updating directory services based on the X.500 model. It describes LDAP's lightweight alternative approach compared to X.500, how information is structured and named in an LDAP directory, the functional operations that can be performed, security considerations, and how the protocol is encoded for transmission.
Non-functional requirements describe how a system will operate rather than what it will do. They include qualities like usability, reliability, performance, and supportability. Usability measures how easy a system is to use, learn, and adapt to user needs. Reliability refers to the likelihood of failures and is measured by metrics like mean time between failures. Performance requirements specify the system's efficiency and response times. Supportability involves how easily a system can be maintained, internationalized, and adapted to changes.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
The document discusses different types of virtualization including hardware, network, storage, memory, software, data, and desktop virtualization. Hardware virtualization includes full, para, and partial virtualization. Network virtualization includes internal and external virtualization. Storage virtualization includes block and file virtualization. Memory virtualization enhances performance through shared, distributed, or networked memory that acts as an extension of main memory. Software virtualization allows guest operating systems to run virtually. Data virtualization manipulates data without technical details. Desktop virtualization provides remote access to work from any location for flexibility and data security.
Cloud computing provides convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. It provides an abstraction between computing resources and their underlying technical architecture, enabling flexible network access.
Azure AD & Azure AD B2C provide identity and access management services. Azure AD is primarily for enterprise use, allowing single sign-on for Office 365, Azure, and other cloud services. It offers features like multi-factor authentication, application access control, and on-premises Active Directory synchronization. Azure AD B2C is designed more for consumer-facing apps and allows fully customizable login experiences and identity providers like social accounts and local usernames. Both services provide user management and authentication capabilities for applications.
Protect your business with a universal identity platform
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Gartner named Microsoft a leader in Magic Quadrant 2020 for Access Management
Single sign-on simplifies access to your apps from anywhere
Conditional Access and multi-factor authentication help protect and govern access
A single identity platform lets you engage with internal and external users more securely
Developer tools make it easy to integrate identity into your apps and services
Connect your workforce
Whether people are on-site or remote, give them seamless access to all their apps so they can stay productive from anywhere. Automate workflows for user lifecycle and provisioning. Save time and resources with self-service management.
Choose from thousands of SaaS apps
Simplify single sign-on. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications.
Protect and govern access
Safeguard user credentials by enforcing strong authentication and conditional access policies. Efficiently manage your identities by ensuring that the right people have the right access to the right resources.
Engage with your customers and partners
Secure and manage customers and partners beyond your organizational boundaries, with one identity solution. Customize user journeys and simplify authentication with social identity and more.
Integrate identity into your apps
Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning. Reduce sign-in friction and automate the creation, removal, and maintenance of user accounts.
1. AWS (Amazon Web Services) is a cloud computing platform that provides scalable computing, storage, database, and application services.
2. AWS offers advantages like eliminating the need to purchase and maintain physical hardware, ability to scale instantly, and pay only for resources used.
3. Key AWS services include compute, storage, databases, networking, and security services like EC2, S3, RDS, VPC, and IAM.
4. AWS has a global infrastructure of data centers across 26 regions for fault tolerance and low latency access worldwide.
Squid Proxy Server on RHEL introduces Squid, a free and open-source proxy server software that provides caching, authentication, bandwidth management, and web filtering capabilities. It discusses configuring Squid on Red Hat Linux including installing packages, editing configuration files, starting services, and testing the proxy functionality. Browser and client settings are also covered to allow systems to route traffic through the Squid proxy server.
Implementing role based access control on Web Application (sample case)Deny Prasetia
This document discusses implementing role-based access control (RBAC) on a web application. It begins by defining access control and RBAC. It then examines different approaches to access control, including level-based, user-based, role-based, and responsibility-based. For the project, it recommends a role-based or responsibility-based approach using tables to define users, roles, tasks, and permissions to allow restricting access based on a user's role(s). It also discusses designing this as a draft and considering requirements to control data updates based on user roles.
This document is intended to introduce readers to role based access control (RBAC), as applied to large numbers of users and multiple IT systems. It is organized into five distinct parts:
1. Development of RBAC concepts from a simple model to a complex but realistic privilege management infrastructure.
2. Business drivers to motivate organizations to use an RBAC system to manage security privileges.
3. Process for deploying RBAC into an organization.
4. Maintenance tasks for keeping a deployed RBAC system functioning smoothly.
5. Organizational impact of the deployment project and of the running RBAC system.
This document provides an overview of access control, including identification, authentication, and authorization. It discusses different types of access controls like administrative, technical, and physical controls. It also covers specific access control methods like passwords, biometrics, smart cards, and tokens. Identification establishes a subject's identity, while authentication proves the identity. Authorization then controls the subject's access to resources based on their proven identity. The document categorizes access controls as preventive, detective, corrective, recovery, compensating, and directive. It provides examples of different administrative, technical, and physical controls that fall into each category.
Mandatory access control for information securityAjit Dadresa
Mandatory Access Control (MAC) is an access control model that is used in highly classified environments. It relies on a system-wide security policy to control access rather than allowing individuals to control access. The policy dictates who can access what. MAC implements mandatory integrity control in Windows Vista based on the Biba model, which ensures integrity by controlling writes and deletions. It defines four integrity levels (low, medium, high, system) and usually inherits levels between processes, but customization is allowed.
This presentation covers the topic of access control in software. Access control is an essential part of every software application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.
In this presentation, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.
EmpowerID provides role-based access control and identity management capabilities. It uses business roles, resource roles, and locations to automate provisioning and management of access based on roles and attributes. Workflows can be visually designed to automate approvals and common processes. The system integrates with various applications and directories to manage identities and entitlements across an organization's IT resources and systems.
This document discusses bug tracking and bug tracking tools. It begins with definitions of a bug and bug tracking. It then covers the anatomy and lifecycle of a bug, benefits of bug tracking tools, and common issues. Key aspects that bug tracking tools should address are outlined. Popular open source and commercial bug tracking systems are listed. Overall, the document promotes bug tracking as an important part of the software development process.
This document discusses the evolution of access control models from DAC to ABAC. It provides an overview of Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). ABAC is described as a new model that controls access based on multiple attributes of subjects, objects, and the environment, allowing for more flexible and fine-grained access decisions. The document predicts that by 2020, 70% of businesses will use ABAC due to its scalability and ability to incorporate real-time context into authorization decisions.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
1) The document discusses 10 steps to implement role-based access control at an organization. The first step is to create an identity warehouse to consolidate user access credentials across different systems.
2) The second step is to establish enterprise role management by designing or purchasing a role management product to define people's access needs across all applications.
3) Additional steps include defining application roles, conducting online role attestation reviews, adjusting the access request system to use the new role terminology, creating enterprise roles, ongoing role attestation, adjusting the request system for enterprise roles, segregation of duties analysis, and leveraging role management for external users.
Role-based Access Control June09 GeoSOA WorkshopCarbon Project
This document discusses a project to develop a role-based access control framework for geospatial cloud services. The project aims to define best practices for role-based access control in geospatial service-oriented architectures. It involves participants like the US Army Corps of Engineers and CubeWerx developing reusable services, applications, and documentation of best practices. The project demonstrates capabilities for access control across different agencies and spatial data domains.
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlSecureAuth
Billions are being spent on network and endpoint security each year and yet companies continue to get breached and become big news headlines. So the question remains: How can organizations protect their network and applications while detecting unwanted users and potential attackers? Join 451 Research and SecureAuth as we explore the current state of information security and discuss some of the emerging access control technologies that can help address these challenges.
In this informative webinar you will learn:
•Why the future of access control will require higher security while improving user experience
•How adaptive access control techniques can protect against an attack using multi-layered risk analysis
•How using Behavioral Biometrics can identify anomalous user behavior - continuously
Healthcare Identity Management and Role-Based Access in a Federated NHIN - Th...Richard Moore
The Nationwide Health Information Network (NHIN) requires the secure connection of health organizations within and across state borders. The goal of Phase 4 of the e-Authentication Pilot Study is to investigate a specific solution to this issue. In 2006 HIMSS sponsored Phase 1 of the e-Authentication Pilot Study which modeled the use of the General Services Administration (GSA) electronic authentication certificates using PKI and SAML in a healthcare information exchange (HIE) environment by 6 Regional Health Information Organizations (RHIOs) located in 5 different states. Phase 2 extended the work of Phase 1 to model federated single sign-on into a distributed multi-state HIE using PKI certificates for secure identity management, open source Internet2 middleware (Shibboleth and Shibboleth tools) for the authorization architecture and OASIS Security Assertion Markup Language (SAML) for single sign-on and access control. Phase 2 concluded in the development of a healthcare specific configuration of the Shibboleth network architecture and the development of healthcare related directory objects for role-based authorization. The Phase 2 technology was successfully demonstrated in the 2008 IHE Showcase. Phase 3 of the e-Authentication Pilot Study extended the network to include NHIN connectivity as a participant in the NHIN2 project. Advancements included; Record Location Services (RLS), proprietary Electronic Health Records (EHR), Personal Health Record Service (PHR), Public Health Immunization Record Service, VMWare virtual server technology. Phase 4 extends the use of NHIN Connector for Clinical and Administrative transactions, connection to OpenVISTA, work with the Voluntary Universal Healthcare Identifier (VUHID) and the growth of the network to 18 hospitals. Liberty Alliance/Kantara Workgroup for Health Identity and Assurance continues to participate to define Health Identity Management best practices and Role-based Authentication. Presented at HIMSS2010 by Richard Moore and John Fraser
Access Control Privileges Management for Risk AreasMahsa Teimourikia
This presentation presents adaptive access control for areas where risks require modifying authorizations dynamically at run time to enlarge and/or restrict privileges for risk rescue teams. Resources, which have a spatial description, as well as data elements of the areas to be protected, are considered. Based on a risk scenario, principles of access control based on the ABAC (Attribute Based Access Control) model for Subjects and Objects are given. Adaptivity of access control rules apply to subjects who intervene in the risk area and who require enlarged privileges to access to resources. The Access Control Domain concept models the policies of adaptive changes to Subject/Object attributes to face the crisis events. Events have a spatial description to enable managing the crisis according to where the event has occurred, since the same event can have different impacts on the environment depending on where it happens.
The Role of Content Management in Electronic Health Records (EMR)John Wang
The document discusses the role of content management in electronic health records. It describes how electronic health record (EHR) systems primarily manage structured data using databases, while much healthcare data is unstructured. Enterprise content management systems (ECMS) are used to manage unstructured content like images, videos and documents. ECMS complement EHR systems and are important for regulatory compliance. The passage outlines federal regulations and financial incentives driving increased EHR and digital health record adoption over the next few years.
This document discusses role-based access control (RBAC). It defines the core components of RBAC, including users, roles, operations, objects, and permissions. It also describes hierarchical RBAC and how roles can inherit permissions and users from other roles. Finally, it covers separation of duties, both static and dynamic, which place constraints on role assignments to prevent conflicts of interest. RBAC aims to simplify security administration by defining permissions based on roles rather than individual users.
Scalable and Flexible Machine Learning With Scala @ LinkedInVitaly Gordon
The presentation given by Chris Severs and myself at the Bay Area Scala Enthusiasts meetup. http://www.meetup.com/Bay-Area-Scala-Enthusiasts/events/105409962/
This document provides an overview of a lecture on access control. It covers several topics:
- Access control authentication methods like passwords, tokens, and biometrics. As well as single sign-on and Kerberos.
- Access control models including DAC, MAC, and RMAC.
- Types of access control including technical, physical, and administrative controls.
- Authentication concepts like verifying identity, authorization, and limiting actions. Password risks and controls are also discussed.
The document discusses data modeling and entity relationship diagrams. It defines data modeling as the process of defining and analyzing data requirements to support business processes. It describes the different types of data models including conceptual, logical, and physical models. It also explains the key components of entity relationship diagrams including entities, attributes, relationships, cardinality, and notation. The document provides an example of using an ERD to model a scenario involving departments, supervisors, employees, and projects.
Permission sets allow administrators to grant users access to functionality in a more granular, flexible way compared to profiles. The presentation discussed how permission sets were used by USAA to simplify a complex permissions model with many profiles. Best practices for using permission sets like thinking of security in terms of functional roles and tasks rather than all-or-nothing profiles were also covered. The roadmap discussion highlighted upcoming features like organization-wide permission sets and increased metadata API support for permission sets.
The session will address the following points:
* Introduction to security in Oracle EPM Cloud Planning
* What are the artifacts/granular level that can have security in PBC?
* What are the best practices for addressing security?
* How can you mass update security using EPM Automate, REST API, Groovy, LCM, etc.?
The document outlines requirements for a resource management system. It includes sections on introduction and purpose, overall description of functions, specific requirements including use cases and activity diagrams, and software attributes. The system allows super users to allocate resources to projects and normal users to access resources after logging in. It describes functions for login, editing employee profiles, accessing and allocating resources, editing projects, and viewing records. Sequence and activity diagrams provide overviews of how the functions will work. Performance, database, design and software attributes are also specified.
A trick question in the cloud era, where we have both options available at our feet. What should we use? What are the tradeoffs? Why I should use and not the other one? If you join this session you might find answers to these questions.
This document provides an overview of security configuration in IBM UrbanCode Deploy, including setting up authentication and authorization realms, defining roles and permissions, configuring users and teams, and setting up notifications and approvals. The key steps are to create an authorization realm, then an authentication realm to associate users with groups. Roles are defined and assigned permissions, and users and groups are added. Teams can then be created and assigned users and groups.
This document provides a template and sample content for a Software Requirements Specification (SRS) document. The template includes sections for an introduction, overall description of the product and its features, detailed system requirements, external interface requirements, and other non-functional requirements. Appendices provide a glossary, optional analysis models, and an issues list. The sample content fills in some sections with placeholder or example text to illustrate how an SRS would be structured.
Experience Mazda Zoom Zoom Lifestyle and Culture by Visiting and joining the Official Mazda Community at http://www.MazdaCommunity.org for additional insight into the Zoom Zoom Lifestyle and special offers for Mazda Community Members. If you live in Arizona, check out CardinaleWay Mazda's eCommerce website at http://www.Cardinale-Way-Mazda.com
This document contains the resume of Yogesh Raghunath Surve. It summarizes his contact information, objective, qualifications, skills, experience and projects. He has over 5 years of experience as a software developer working with technologies like C#, SQL Server and Oracle. His experience includes projects in areas like agriculture information systems, online video platforms and HR/Payroll management systems.
Kiran Reddy has over 5 years of experience in identity and access management using Oracle products like Oracle Identity Manager, Oracle Access Manager, Oracle Internet Directory and Oracle Virtual Directory. He has expertise in integrating these products, developing connectors, configuring workflows, provisioning, reconciliation, single sign-on and access policies. He has worked on several projects for clients to implement identity management solutions.
DevOps has multiple hats nowadays. In today session we will identify the main competencies that a DevOp shall have in 2020. For each competency, tools that can leverage our day to day activities will be presented from Azure or Microsoft ecosystem.
My today session was about DevOps, focusing on the culture and how we shall behave to support the DevOps culture in combination with the powerful tooling that Microsoft is offering for us - Azure DevOps. Besides this, attendees were able to find information related to what are the 2020 trends from a DevOps perspective and what Romanian market understand by DevOps
Tools and competences on DevOps for 2020Radu Vunvulea
The key thing to note is that legacy systems are only legacy because they’ve been successful enough to last this long. Legacy systems can be made more flexible and maintainable by organizing them based on business needs and capabilities, making individual parts loosely coupled and independently deployable. This allows legacy systems to be adapted over time without needing to replace the entire system at once.
This document is a software requirements specification (SRS) for a movie recommender system. It provides an introduction to the purpose and scope of the project. The SRS describes the overall product perspective and functions, including providing movie recommendations to users based on their preferences and past ratings. It outlines the user classes, operating environment, design constraints, and documentation. The SRS also specifies the external interfaces, system features, and other non-functional requirements around performance, safety, security and quality.
The document summarizes a research paper that proposes a Java-based remote control system for laboratory monitoring. The system allows administrators to remotely control and monitor computers connected over a local area network. It uses Java Remote Method Invocation (RMI) to enable remote access and control of resources like locking/unlocking USB drives and files. The system aims to provide an efficient and automated alternative to existing remote desktop solutions by minimizing processing power usage on both client and server machines.
Highly confidential security system - sole survivors - SRSArun prasath
In day-to-day life it is quite hard to remember all confidential data like Mail Id, Password, bank account number, Insurance policy number, PAN number, Driving License number, education certificate Numbers, Some highly value scan copy, some confidential photo, music and videos. Crypto Locker is a
highly secure web application to store all confidential data in single credential.
The document discusses and compares three popular application release automation (ARA) tools: CA Release Automation (Lisa), IBM UrbanCode Deploy, and XebiaLabs XL Deploy. It provides information on each tool's valuable features and potential criticisms. While all three tools could effectively manage a company's deployment process, the document notes that XebiaLabs may be most practical if a model-based deployment approach is preferred, while UrbanCode and Lisa would be best if a workflow-based approach is preferred. However, the author believes that how well each tool is implemented within a company will have a greater impact on efficiency than the tool alone.
Online Insurance Broker Portal is the important and hence are an
integral part of the every Insurance Brokers. Today a Every Insurance Brokers
plays a vital role in Insurance, Claim and management related actions.
The project entitled “Online Insurance Broker Portal” is and effort
towards designing an information system that would provide most of the
requirements of a managing the Insurance Brokers efficiently.
The project has been designed using the Sql Server 2014 Database
Management System. Sql Server 2014 is an RDBMS, It uses the relational we
have used the concept of the relations to stored and manipulate the data of the
information system.
Physically these relations have been stored in form of the tables.
Corresponding to each entitle and the relationships we have a database table.
These tables contain the columns as the fields of table. Further, each column have
some attributes such as data types, size, default values etc. which defines and
validate the data.
In the design “Online Insurance Broker Portal” we have exploited the
rich facilities (tools) of c#.NET MVC. C#.NET MVC is Microsoft’s strategic
language for Rapid Application Development (RAD) and its also have feature of
Common Language Runtime(CLR). It is easy to use, efficient, flexible and more
powerful for developing a Database related programming as well as Net
programming.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Role based access control - RBAC
1. user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-ment
(PA)
Permission
Assignment
USERS OPS OBS
SESSIONS
ROLES
PRMS
SSD
DSD
2. Access Control a system to control, monitor
and restrict the movement of people, assets or
vehicles around a building or site
Access Control types
• Discretionary Access Control
• Mandatory Access Control
• Role-Based Access Control
http://www.ifour-consultancy.com Offshore software development company India
3. Restricts access to objects based solely on
the identity of users who are trying to access
them.
Application
Access List
Name Access
Tom Yes
John No
Cindy Yes
Individuals Resources
Server 1
Server 2
Server 3
Legacy Apps
http://www.ifour-consultancy.com Offshore software development company India
4. MAC mechanisms assign a security level to all
information, assign a security clearance to each user,
and ensure that all users only have access to that data
for which they have a clearance.
Individuals Resources
Server 1
“Top Secret”
Server 2
“Secret”
Server 3
“Classified”
SIPRNET
Legacy Apps
http://www.ifour-consultancy.com Better secOfufshroirtey s otfthwaaren d eDveAlopCment company India
5. A user has access to an object based on
the assigned role.
Roles are defined based on job functions.
Permissions are defined based on job
authority and responsibilities within a job
function.
Operations on an object are invocated
based on the permissions.
The object is concerned with the user’s
role and not the user.
“Ideally, the [RBAC]
system is clearly
defined and agile,
making the addition
of new applications,
roles, and employees
as efficient as
possible”
http://www.ifour-consultancy.com Offshore software development company India
6. Individuals Roles Resources
Role 1
Role 2
Role 3
Server 1
Server 2
Server 3
User’s change frequently, Roles don’t
http://www.ifour-consultancy.com Offshore software development company India
7. Three primary rules are defined for RBAC:
• Role assignment
• Role authorization
• Permission authorization
http://www.ifour-consultancy.com Offshore software development company India
8. RBAC Model
Effort
RBAC3
A family of RBAC with four models
1. RBAC0: min functionality
2. RBAC1: RBAC0 plus role inheritance
3. RBAC2: RBAC0 plus constraints
(restrictions on RBAC configuration)
4. RBAC3: RBAC0 plus all of the above
http://www.ifour-consultancy.com Offshore software development company India
9. Core Components
Constraining Components
• Hierarchical RBAC
General
Limited
• Separation of Duty Relations
Static
Dynamic
http://www.ifour-consultancy.com Offshore software development company India
10. Defines:
• USERS
• ROLES
• OPERATIONS (ops)
• OBJECTS (obs)
• User Assignments (ua)
assigned_users
• Permissions (prms)
Assigned Permissions
Object Permissions
Operation Permissions
• Sessions
User Sessions
Available Session Permissions
Session Roles
http://www.ifour-consultancy.com Offshore software development company India
11. Role Hierarchies (rh)
• General
• Limited
Separation of Duties
• Static
• Dynamic
http://www.ifour-consultancy.com Offshore software development company India
12. CCoorree RRBBAACC
(UA)
User Assign-ment
(PA)
Permission
Assignment
USERS OPS OBS
user_sessions session_roles
SESSIONS
ROLES
PRMS
Many-to-many relationship among individual users and privileges
Session is a mapping between a user and an activated subset of
assigned roles
User/role relations can be defined independent of role/privilege
relations
Privileges are system/application dependent
Accommodates traditional but robust group-based access control
http://www.ifour-consultancy.com Offshore software development company India
13. USERS set ROLES set
A user can be
assigned to one or
more roles
Developer
Help Desk Rep
A role can be assigned
to one or more users
http://www.ifour-consultancy.com Offshore software development company India
14. PRMS set ROLES set
A prms can be
assigned to one or
more roles
Admin.DB1
A role can be assigned
to one or more prms
User.DB1
Create
Delete
Drop
View
Update
Append
http://www.ifour-consultancy.com Offshore software development company India
15. The mapping of user u onto a set of sessions.
USERS
guest
admin
user
invokes
SESSION
User2.FIN1.report1.session
SQL
User2.DB1.table1.session
User2.APP1.desktop.session
USER1
USER2
http://www.ifour-consultancy.com Offshore software development company India
16. The mapping of session s onto a set of roles
SESSION ROLES
•Admin
•User
•Guest SQL
DB1.table1.session
http://www.ifour-consultancy.com Offshore software development company India
17. user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-ment
(PA)
Permission
Assignment
USERS OPS OBS
SESSIONS
ROLES
PRMS
HHiieerraarrcchhaall RRBBAACC
Role
Hierarchies (rh)
General
Limited
http://www.ifour-consultancy.com Offshore software development company India
18. Production
Engineer 1
Engineer 1
Quality
Engineer 1
Production
Engineer 2
Engineering Dept
Engineer 2
Quality
Engineer 2
Project Lead 1
Production
Engineer 1
Quality
Engineer 1
Director
Project Lead 2
Production
Engineer 2
Quality
Engineer 2
http://www.ifour-consultancy.com Offshore software development company India
19. Upper roles have all the access rights of the lower roles as well
other access rights not available to a lower role
Production
Engineer 1
Engineer 1
Quality
Engineer 1
Production
Engineer 2
Engineering Dept
Engineer 2
Quality
Engineer 2
Project Lead 1
Director
Project Lead 2
20. User Role Set
Power User Role Set
Admin Role Set
User
r-w-h
Guest
-r-
Only if all permissions of r1
are also permissions of r2
Guest Role Set
Only if all users of r1 are
also users of r2
i.e. r1 inherits r2
Support Multiple
Inheritance
http://www.ifour-consultancy.com Offshore software development company India
21. A restriction on the immediate descendants of the
general role hierarchy
Role2
Role1
Role3
Role2 inherits from Role1
Role3 does not inherit from
Role1 or Role2
http://www.ifour-consultancy.com Offshore software development company India
22. CCoonnssttrraaiinneedd RRBBAACC
user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-ment
(PA)
Permission
Assignment
USERS OPS OBS
SESSIONS
ROLES
PRMS
SSD
DSD
Constrained
RBAC
Static
Dynamic
http://www.ifour-consultancy.com Offshore software development company India
23. Enforces conflict of interest policies employed to
prevent users from exceeding a reasonable level of
authority for their position.
Ensures that failures of omission or commission within
an organization can be caused only as a result of
collusion among individuals.
Two Types:
• Static Separation of Duties (SSD)
• Dynamic Separation of Duties (DSD)
http://www.ifour-consultancy.com Offshore software development company India
24. SSD places restrictions on the set of roles and in particular
on their ability to form UA relations.
No user is assigned to n or more roles from the same role
set, where n or more roles conflict with each other.
A user may be in one role, but not in another—mutually
exclusive.
Prevents a person from submitting and approving their own
request.
http://www.ifour-consultancy.com Offshore software development company India
25. A constraint on the authorized users of the roles that
have an SSD relation.
Based on the authorized users rather than assigned
users.
Ensures that inheritance does not undermine SSD
policies.
Reduce the number of potential permissions that can
be made available to a user by placing constraints on
the users that can be assigned to a set of roles.
http://www.ifour-consultancy.com Offshore software development company India
26. Places constraints on the users that can be assigned to
a set of roles, thereby reducing the number of potential
permission that can be made available to a user.
Constraints are across or within a user’s session.
No user may activate n or more roles from the roles set
in each user session.
Timely Revocation of Trust ensures that permission do
not persist beyond the time that they are required for
performance of duty.
http://www.ifour-consultancy.com Offshore software development company India
28. The small scale of GIAC Enterprises is both a plus and minus for
implementing RBAC
Smaller companies will most likely mean users will be assuming
multiple roles within the organization thus making it difficult to
create static roles for each users or process.
At first glance the implementation of RBAC in a company with
under 10 employees may seem simple. If roles are not properly
identified and categorized, scalability becomes a problem. The
sooner you can implement principles of least privilege and
segregation of duties, the more reliable your process will become.
At a high level GIAC Enterprises can be broken into four divisions
• Business (CEO, CFO, Sales Manager, Product Manager)
• Development (Developer)
• Administration (System Administrator)
• Audit (External Resource)
http://www.ifour-consultancy.com Offshore software development company India
29. The DMZ houses the Email gateway, IPS, Web Server, and
MetaFrame Presentation Server
Windows systems (Email, MetaFrame) use Active Directory (AD)
for maintaining role-based access controls
Linux systems (Web, App, IPS) use Vintela Authentication Services
(VAS) which sits on the AD framework for administering role-based
access controls
Within AD, the following roles are defined specific to the DMZ:
• User - read-only access to web pages
• Administrator - read/write access to deploy changes made by
developer
• Auditor – read-only access to specified systems
http://www.ifour-consultancy.com Offshore software development company India
30. Access to the majority of GIAC Enterprise’s internal systems (Email, File,
HR, Antivirus, DC, DNS) is governed by Windows Active Directory (AD)
Access to the Linux/Apache web server and the Solaris/Weblogic App
Server is controlled via Vintela Authentication Services (VAS) managed
through AD
Internally the following roles are defined:
• User - read-only access to web pages
• Administrator - read/write access to deploy changes to production after they’ve been
made by a developer
• Developer – read/write access to development partitions of web/app/db servers
• Auditor – read-only access to specified systems
Employees access the sales and HR database utilizing a web-to-app
interface thereby abiding by a 3-tier architecture
Systems are partitioned and segmented into development and production
environments to facilitate configuration management practices
http://www.ifour-consultancy.com Offshore software development company India
31. Cisco’s Network Admission Control (NAC) is used to control
workstations and laptop access to the internal network
IBNS and 802.1x is integrated into NAC (next slide)
802.1x provides controls for both wired and wireless devices
NAC Profiler is used to automatically identify and assess non-PC
devices such as Voice over IP phones and printers
Appropriate device roles are created. For example, business user,
guest user, etc...
NAC is used to isolate vender connections (i.e. visiting laptops), while
still allowing Internet access
Ensure that authorized endpoint devices have been patched
(operating systems, critical applications, anti-virus, anti-spyware,
etc..) via the policy server.
http://www.ifour-consultancy.com Offshore software development company India
32. Use Cisco’s AAA & TACACS+ via Cisco Secure Access Control Server
& Active Directory for centralized router and firewall Authentication,
Authorization, and Accounting.
Use Cisco's Identity-Based Networking Services (IBNS) identity
management solution
IBNS is based on 802.1x and offers authentication, access control, and
user policies to secure the network
802.1X allows enforcement of port based network access control when
devices attempt to access the network
IBNS leverages Cisco's switches, Wireless APs, Cisco Secure ACS and
Cisco Secure Services Client
Cisco’s Role-Based CLI Access is used to define auditor and helpdesk
views
These views are configured to restrict access to Cisco IOS commands
and configuration while allowing timely problem resolution and audit
access to the IOS
33. RBAC will ease auditing of network and systems
Enforces unique usernames; only one username per user
Define ‘read’ or ‘view’ only access to auditing roles
Auditors can then be granted access to audit roles
Appropriate event logs from servers, Active Directory, IPS, routers,
Vintela Authentication Services, NAC, key card system and other
network infrastructure devices are stored in a centralized log
server
Access to the centralized log server data is restricted, IT can not
access, modify or delete logs without audit’s permission
An event correlation and reporting server is used by both IT and
audit to correlate and review the data
34. 1. NIST documents at hhttttpp::////ccssrrcc..nniisstt..ggoovv//rrbbaacc//
2. D. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, R. Chandramouli,
"A Proposed Standard for Role Based Access Control (PDF),"
ACM Transactions on Information and System Security , vol. 4,
no. 3 (August, 2001) - draft of a consensus standard for RBAC.
3. The ARBAC97 model for role-based administration of roles
(1999)
4. Symbiosis
1. Neha Kabra
2. Jayesh Singhal
3. Rohit Gedam
4. Sunil Saroj
http://www.ifour-consultancy.com Offshore software development company India
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Three primary rules are defined for RBAC:
Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
The RBAC model as a whole is fundamentally defined in terms of individual users being assigned to roles and permissions being assigned to roles.
A role is a means for naming many-to-many relationships among individual users and permissions.
In addition it includes a set of sessions where each session is a mapping between a user and an activated subset of roles that are assigned to user.
The type of operations and objects that RBAC controls are dependent on the type of the system in which they are implemented.
The set of objects covered by RBAC includes all the objects listed in the permissions that are assigned to roles.
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
It adds requirements for supporting role hierarchies. A hierarchy is mathematically a partial order defining a seniority relation between roles, whereby the seniors roles acquire the permission of their juniors, and junior roles acquire the user membership of their seniors. This standard recognizes two types of role hierarchies
General Hierarchical RBAC: In this case, there is support for an arbitrary partial order to serve as role hierarchy, to include the concept of multiple inheritance of permissions and user membership among roles.
Limited Hierarchical RBAC: Some systems may impose restrictions on the role hierarchy. Most commonly, hierarchies are limited to simple structures such as trees and inverted trees
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Upper roles have all the access rights of the lower roles as well other access rights not available to a lower role
Offshore software development company India – http://www.ifour-consultancy.com
General role hierarchies support the concept of multiple inheritance, which provides the ability to inherit permission from two or more role sources and to inherit user membership from two or more role sources. Multiple inheritances provide important hierarchy properties.
The first is the ability to compose a role from multiple subordinate roles (with fewer permissions) in defining roles and relations that are characteristic of the organization and business structures, which these roles are intended to represent.
Second, multiple inheritances provide uniform treatment of user/role assignment relations and role/role inheritance relations. Users can be included in the role hierarchy, using the same relation to denote the user assignment to roles, as well as permission inheritance from a role to its assigned users.
General role hierarchies support the concept of multiple inheritance, which provides the ability to inherit permission from two or more role sources and to inherit user membership from two or more role sources. Multiple inheritances provide important hierarchy properties.
The first is the ability to compose a role from multiple subordinate roles (with fewer permissions) in defining roles and relations that are characteristic of the organization and business structures, which these roles are intended to represent.
Second, multiple inheritances provide uniform treatment of user/role assignment relations and role/role inheritance relations. Users can be included in the role hierarchy, using the same relation to denote the user assignment to roles, as well as permission inheritance from a role to its assigned users.
Offshore software development company India – http://www.ifour-consultancy.com
Roles in a limited role hierarchy are restricted to a single immediate descendant. Although limited role hierarchies do not support multiple inheritances, they nonetheless provide clear administrative advantages over Core RBAC.
We represent r1 as an immediate descendent of r2 r1 r2, if r1 ≥ r2, but no role in the role hierarchy lies between r1 and r2. That is, there exists no role r3 in the role hierarchy such that r ≥ r3 ≥ r2, where r1 ≠ r2 and r2 ≠ r3.
Definition of limited Role Hierarchy:
r, r1, r2 ROLES, r ≥ r1 r ≥ r2 )r1 = r2:
Offshore software development company India – http://www.ifour-consultancy.com
It adds separation of duty relations to the RBAC model.
As a security principle, SOD has long been recognized for its wide application in business, industry, and government.
Its purpose is to ensure that failures of omission or commission within an organization can be caused only as a result of collusion among individuals.
To minimize the likelihood of collusion, individuals of different skills or divergent interests are assigned to separate tasks required in the performance of a business function.
The motivation is to ensure that fraud and major errors cannot occur without deliberate collusion of multiple users.
This RBAC standard allows for both static and dynamic separation of duty
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Separation of duty relations are used to enforce conflict of interest policies. Conflict of interest in a role-based system may arise as a result of a user gaining authorization for permissions associated with conflicting roles.
One means of preventing this form of conflict of interest is though static separation of duty (SSD), that is, to enforce constraints on the assignment of users to roles.
An example of such a static constraint is the requirement that two roles be mutually exclusive; for example, if one role requests expenditures and another approves them, the organization may prohibit the same user from being assigned to both roles.
The SSD policy can be centrally specified and then uniformly imposed on specific roles. Because of the potential for inconsistencies with respect to static separation of duty relations and inheritance relations of a role hierarchy, we define SSD requirements both in the presence and absence of role hierarchies
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Dynamic separation of duty (DSD) relations, like SSD relations, limit the permissions that are available to a user. However DSD relations differ from SSD relations by the context in which these limitations are imposed.
DSD requirements limit the availability of the permissions by placing constraints on the roles that can be activated within or across a user’s sessions.
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com
Offshore software development company India – http://www.ifour-consultancy.com