Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
This document is intended to introduce readers to role based access control (RBAC), as applied to large numbers of users and multiple IT systems. It is organized into five distinct parts:
1. Development of RBAC concepts from a simple model to a complex but realistic privilege management infrastructure.
2. Business drivers to motivate organizations to use an RBAC system to manage security privileges.
3. Process for deploying RBAC into an organization.
4. Maintenance tasks for keeping a deployed RBAC system functioning smoothly.
5. Organizational impact of the deployment project and of the running RBAC system.
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
This document is intended to introduce readers to role based access control (RBAC), as applied to large numbers of users and multiple IT systems. It is organized into five distinct parts:
1. Development of RBAC concepts from a simple model to a complex but realistic privilege management infrastructure.
2. Business drivers to motivate organizations to use an RBAC system to manage security privileges.
3. Process for deploying RBAC into an organization.
4. Maintenance tasks for keeping a deployed RBAC system functioning smoothly.
5. Organizational impact of the deployment project and of the running RBAC system.
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.
Multithreading is the ability of a program or an
operating system process to manage its use by
more than one user at a time and to even manage
multiple requests by the same user without
having to have multiple copies of the
programming running in the computer.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Attribute-Based access control (ABAC) is the current state-of-practice model to express access rules in terms of attributes of subjects, resources, actions and the environment. In industry, ABAC is becoming the general methodology for managing access in IT applications. In the first part of this talk, we go into detail on how attributes can express different access control concepts. In the second part of the talk, we discuss how ABAC is used as a model for access control management to align access rules with business processes via a wide variety of domain-specific access control concepts.
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution for microservices environments based on OIDC. We present a simple RBAC implementation together with fine-grained permissions and end to end automation.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Access Control Models: Controlling Resource AuthorizationMark Niebergall
There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.
In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.
Multithreading is the ability of a program or an
operating system process to manage its use by
more than one user at a time and to even manage
multiple requests by the same user without
having to have multiple copies of the
programming running in the computer.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Attribute-Based access control (ABAC) is the current state-of-practice model to express access rules in terms of attributes of subjects, resources, actions and the environment. In industry, ABAC is becoming the general methodology for managing access in IT applications. In the first part of this talk, we go into detail on how attributes can express different access control concepts. In the second part of the talk, we discuss how ABAC is used as a model for access control management to align access rules with business processes via a wide variety of domain-specific access control concepts.
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution for microservices environments based on OIDC. We present a simple RBAC implementation together with fine-grained permissions and end to end automation.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Access Control Models: Controlling Resource AuthorizationMark Niebergall
There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
This presentation covers the topic of access control in software. Access control is an essential part of every software application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.
In this presentation, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.
With the advent of Hadoop, there comes the need for professionals skilled in Hadoop Administration making it imperative to be skilled as a Hadoop Admin for better career, salary and job opportunities.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Role based access control
1. Role Based Access Control
Peter Edwards
peter@dragonstaff.co.uk
Birmingham.pm
Perl Technical Talk
22nd October 2008
Peter and Léon Brocard at Google Dev Day
1
Role Based Access Control 12/22/12
2. Contents
1. Requirement and Solution
2. Authentication and Authorisation Definitions
3. Authentication Process
4. Authentication Example
5. Authentication Session
6. More Authentication Session Examples
7. Authorisation Types
8. Article On Simple Authorisation
9. Simple Authorisation in Catalyst
10. CPAN Lattice-Based Access Control Example
14. Role Based Access Control
14.1. Academic Papers
14.2. Emerging Standards and Implementations
14.3. Existing Security Implementations
14.4. Perl Implementations
14.5. RBAC Design
14.6. RBAC Example
15. Further Information
2
Role Based Access Control 12/22/12
3. Requirement
Controlling user access to applications and
the data within them
Solution
Identify each user
Grant them permissions to work with
applications and data
Test for that when they use the application
3
Role Based Access Control 12/22/12
4. Authentication and Authorisation
Definitions
Authentication is the validation of a userid
that is used by a user or batch process
Authorisation is checking that a userid is
allowed to perform certain operations on
an object
can <user> "fred" do <operation> "delete" on
<object> "/home/fred/somefile.txt" of <object_type>
"file"
4
Role Based Access Control 12/22/12
5. Authentication Process
user/batch process requests access for <userid>
using <credential> from a server
server validates credential (e.g. password or key
challenge certificate) against userid and returns
an <authentication_token> (e.g. a cookie or hash
token) which is linked server side to the userid,
typically in a session store
user/batch process supplies the authentication
token along with subsequent requests to the
server
on receiving a request the server
– validates the authentication token
– checks the linked userid has authorisation to
perform the given request
5
Role Based Access Control 12/22/12
7. Authentication Session
Once authenticated, you'll need a session to persist that, otherwise
you'd need to ask for the userid/password every time
Using Authen::Simple with Apache gives us an implicit session
# a mod_perl Authen handler
PerlModule Authen::Simple::Apache
PerlModule Authen::Simple::Passwd
PerlSetVar AuthenSimplePasswd_path "/etc/passwd“
<Location /protected>
PerlAuthenHandler Authen::Simple::Passwd
AuthType Basic
AuthName "Protected Area“
Require valid-user
</Location>
7
Role Based Access Control 12/22/12
8. More Auth Session Examples
These modules on CPAN give examples of
how to authenticate and have that persisted
in an authentication session
CGI::Application::Plugin::Authentication
CGI::Application::Plugin::Session
Catalyst::Manual::Tutorial::Authentication
Catalyst::Plugin::Authentication
Catalyst::Plugin::Authorization::Roles
8
Role Based Access Control 12/22/12
9. Authorisation Types / 1
simple
authenticated user has full access to system
auth'd user has roles which each grant full access to a sub-system, either as
a process ('can register new users') or data ('can amend customer records')
– the role acts effectively as a grouping mechanism
Lattice-Based Access Control (LBAC)
– users (subjects) mapped to objects (resources, computers, applications)
Role-Based Access Control (RBAC)
– users have hierarchical roles which have permissions that grant operations
e.g. user "fred" has role "sysadmin" which has permission "security_edit" which
grants operations "read" and "write" on security objects
instead user "fred" might have role "root" which inherits from role "sysadmin"
those permissions
RBAC with Access Control List extension
– users have roles which have permissions with a precedence that grant operations
on matched objects
e.g. user "jo" has role "editor" which has permission "food_recipes" which grants
operations "read", "write", "delete" to objects "of type 'document' with file path
matching '/home/recipes/*'“
enterprise framework, e.g. PERMIS storing permissions via OpenLDAP and
authenticating against Windows ADS BBC SSO or Shibboleth
complex
9
Role Based Access Control 12/22/12
10. Authorisation Types / 2
The user-role assignment may be inherent in the
authorisation system,or might be read externally,
say from an ADS server via LDAP
The object matching might involve callouts to
more sophisticated checking code plugins that
query other systems
Authorisation is usually applied at application
level to check actions
It can also be applied at database level to filter all
access to data the user is allowedto see, either by
a database view or by using a relational database
object wrapper layerto provide an additional
safety net, e.g.
DBIx::Class::Schema::RestrictWithObject
10
Role Based Access Control 12/22/12
11. Article On Simple Authorisation
"Elements of Access Control" at perl.com by
Vladi Belperchinov-Shabanski, Feb 13 2008
http://www.perl.com/pub/a/2008/02/13/elements-of-acce
Some nice examples of reading users and groups
from file or database
Policy configuration syntax
Policy parser
User group storage and mapping
User group loading
Policy match function
Data fences
I won't go through it now but worth reading on-line
11
Role Based Access Control 12/22/12
12. Simple Authorisation in Catalyst
user <-many--many-> role
role has meaning in your application code
Catalyst::Plugin::Authorization::Roles
use Catalyst qw/
Authentication
Authentication::Store::ThatSupportsRoles
Authorization::Roles
/;
sub delete : Local {
my ( $self, $c ) = @_;
$c->assert_user_roles( qw/admin/ );
# only admins can delete
$c->model("Foo")->delete_it();
}
12
Role Based Access Control 12/22/12
13. CPAN Lattice-Based Access
Control Example
WE::Util::Permissions
Uses a single file of permission rules queried via
a Perl interface
User or group matches rules which link
operations to matched objects
In the terminology of the author, operations are
"processes", objects are "pages“
Part of a wider web file editing framework
I wrote a very similar authorisation handler in C
for the Open University many years ago although
Perl's obviously much better at tokenising text
files and handling data!
13
Role Based Access Control 12/22/12
14. WE::Utils::Permissions File Format
Based on these tokens
– user list of users
– group list of groups
– process operation like “delete”
– Page file path or regexp or glob
14
Role Based Access Control 12/22/12
15. WE::U::P File Examples / 1
Use globbing for matching and allow the "admin" group
to have rights for all processes. There is no page
restriction, so the rights are valid for all objects
! match: glob
group admin
process *
The chiefeditors have rights for the processes "release",
"publish" and "edit". Here too, there are no page
restrictions
group chiefeditor
process release publish edit
15
Role Based Access Control 12/22/12
16. WE::U::P File Examples / 2
The members of the group "news" are allowed to do the
following operations in all objects below "/News/":"edit",
"change-folder", "new-doc", "rm-doc", "release" and
"publish".A regular expression match is used here (there
is no "! match" directive).
! match: regexp
group news
page /News/.*
process edit change-folder new-doc rm-doc release publish
At end of file this rule denies anything not already
permitted,similarly to Apache "DENY from all" directive
or /etc/hosts.deny "ALL: ALL"
! match: glob
group *
process !*
16
Role Based Access Control 12/22/12
17. WE::U::P Querying
use WE::Util::Permissions;
my $perm = WE::Util::Permissions->new(-file =>
$permissionsfile);
$perm->is_allowed(-user => "some_user", -process
=> "access");
$perm->is_allowed(-group => [qw( editor admin )],
-process => "delete", -page => 'a/b/foo.html');
# get subset of users from list provided who are
allowed process (operation) 'publish' on page
(object) '/home/index.txt‘
$perm->get_all_users([qw( janet john )], 'publish',
'/home/index.txt');
17
Role Based Access Control 12/22/12
18. WE::U::P Caveats
You have to provide user and group handling
("The semantics of users, groups, processes and
pages are usually defined in another layer")
No admin interface to create rules
"There is currently no way to specify a token
with spaces or slashes.”
“Diagnostics is poor. Unrecognized tokens won't
cause errors or warnings.”
No precedence other than rule order (e.g. how do
I deny a tree except for a sub-tree which is
allowed).
No plugin methods matching/precedence
caclulation.
But you could use the ideas and code as a basis
for your own authorisation library.Have a look at
the code on CPAN.
18
Role Based Access Control 12/22/12
19. Role Based Access Control
This is an evolving area and it is surprising how
recently the standards for it have been written
(2001 on)
NIST "Role Based Access Control (RBAC) and Role Ba
“The NIST Model for Role-Based Access Control: Tow
Proposed NIST Standard for Role-Based Access Contro
ACM Transactions on Information and System Security
D.F.Ferraiolo et al.
"Beyond Roles: A Practical Approach to Enterprise Use
19
Role Based Access Control 12/22/12
20. Emerging Standards and Implementations
An evolving area. Surprising how recently the
standards for it have been written (2001 on)
XACML
http://en.wikipedia.org/wiki/XACML
"OASIS eXtensible
Access Control Markup Language (XACML) TC“
“Core and hierarchical role based access control (RBAC
Sun's XACML Open Source impl. in Java
http://sunxacml.sourceforge.net
Axis2 web service for Apache Maven
http://xacmllight.sourceforge.net/
C/Java providing SOAP stack
Still a moving target!
20
Role Based Access Control 12/22/12
21. Existing Security Implementations / 1
Windows ADS
– Using an LDAP connector to authenticate users and
determine group memberships and permissions, such
as Perl-LDAP http://ldap.perl.org/
– Requires application-side logic to interpret
permissions
OpenLDAP
– "LDAP for Security, Part I“
http://www.linuxjournal.com/article/6789
– Paranoid Penguin "Authenticate with LDAP, Part III“
http://www.linuxjournal.com/article/6936
21
Role Based Access Control 12/22/12
22. Existing Security Implementations / 2
PERMIS Privilege Management
Infrastructure
– Enterprise-wide, huge, complex
– http://sec.cs.kent.ac.uk/permis/
– http://www.openpermis.org/download.htm
– PERMIS PMI Architecture "Implementing
Role Based Access Controls Using X.509
Attribute Certificates”
– "RBAC POLICIES IN XML FOR X.509
BASED PRIVILEGE MANAGEMENT"
22
Role Based Access Control 12/22/12
23. Existing Security Implementations / 3
Shibboleth
– A standards based, open source software package for
web single sign-on across or within organizational
boundaries that can work with PERMIS
http://shibboleth.internet2.edu/
Distributed Access Control System (DACS)
– http://dacs.dss.ca/faq.html
– Written in C, well-designed, modular
– Provides authentication and authorisation
– Doesn't work on Apache 1, which the BBC uses in
production :-(
23
Role Based Access Control 12/22/12
24. Existing Security Implementations / 4
"A Role-Based Access Control (RBAC)
system for PHP“ by Tony Marston
– http://www.tonymarston.net/php-mysql/role-
based-access-control.html
– small, well-designed, good for standalone applications
"FineGrained Role Based Access Control
(RBAC) system" for PHP
– reasonable database design and PHP code
POSIX ACL – ACLs from Python
– http://pylibacl.sourceforge.net/
Linux kernel extension "grsecurity“
– http://www.grsecurity.net/index.php
– Unix-based kernel level RBAC, really aimed at Unix
files and users
24
Role Based Access Control 12/22/12
25. Perl Implementations of RBAC
I know of no solutions in Perl although there are
libraries for Python, Ruby, Java. In principle you
could wrap one of them
We needed one at the BBC so I wrote one called
IFL::Authz and hope to release it to CPAN
Based on Ferraiolo et al. "Proposed NIST
Standard for Role-Based Access Control"
This paper has a Functional Specification of an
API written in the Z formal language which I
adapted to Perl. Z is nice match for the
mathematical set theory underlying RBAC
though there are some errors in the paper.
25
Role Based Access Control 12/22/12
26. RBAC Model
From Ferraiolo
http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf
26
Role Based Access Control 12/22/12
27. RBAC Model Detail
When defining an RBAC model, the following conventions are
useful:
S = Subject = A person or automated agent
R = Role = Job function or title which defines an authority level
P = Permissions = An approval of a mode of access to a resource
SE = Session = A mapping involving S, R and/or P
SA = Subject Assignment
PA = Permission Assignment
RH = Partially ordered role Hierarchy. RH can also be written: ≥
A subject can have multiple roles.
A role can have multiple subjects.
A role can have many permissions.
A permission can be assigned to many roles.
A constraint places a restrictive rule on the potential inheritance of
permissions from opposing roles, thus it can be used to achieve
appropriate segregation of duties. For example, the same person
should not be allowed to both create a login account for someone,
and also be allowed to authorize the procedure.
A subject may have multiple simultaneous sessions with different
permissions.
27
Role Based Access Control 12/22/12
28. RBAC Example
Subject = user "joe“
Role = "editor“
Operation = "publish“
However, at the BBC we're using it to handle
sophisticated authorisation for a CMS system which
requires ACLs, so we need object matching too
From the Wikipedia article on RBAC:
– "With the concepts of role hierarchy and constraints, one can
control RBAC to create or simulate lattice-based access control
(LBAC). Thus RBAC can be considered a superset of LBAC.
I.e. RBAC + ACLs = LBAC
To do this I extended the concept of permission to
include within it a reference to an object, or matches
against objects using regexps, globs or plugin method
Object = "/home/recipes/*"
28
Role Based Access Control 12/22/12
29. Code Examples - Create Authz / 1
use IFL::Authz;
use IFL::Authz::Config::PerlFile;
# load config
my $authzconfig = IFL::Authz::Config::PerlFile
->new({ configfilepath => "authz.xpl" });
# contains
# store => {
# class => 'IFL::Authz::Serialiser::PerlFile',
# storefilepath = 'authz_schema.xpl',
# },
# objectmatch => { class => 'TestAdminAuthz' },
# relies on plugin TestAdminAuthz.pm which gives
# match_object() that understands rings of power
29
Role Based Access Control 12/22/12
30. Code Examples - Create Authz / 2
# create authz object
my $authz = IFL::Authz->new({ config =>
$authzconfig });
$authz->begin_transaction;
$authz->add_object_type({ name => 'ring', ops =>
['wear', 'destroy'], precedence => 1 });
$authz->add_user({ user => 'unittest', metadata =>
{ name => 'Ms. Unity Test', country => 'UK' } });
$authz->add_role({ role => 'tester', description =>
'Tester Role' });
$authz->grant_permission({role => 'tester',
description => 'access rings', operations =>
[qw( access read )], allow_deny => 'allow', object
=> { type => 'ring', precedence => 'DEFAULT', id
=> {} } } );
30
Role Based Access Control 12/22/12
31. Code Examples - Create Authz / 3
$authz->add_role({ role => 'ring_bearer', description
=> 'Ring Bearer Role' });
$authz->grant_permission({ role => 'ring_bearer',
description => 'wear rings', operations =>
[qw( wear )], allow_deny => 'allow', object =>
{ type => 'ring', precedence => 'DEFAULT', id =>
{} } });
$authz->add_inheritance({ role_asc => 'tester',
role_desc => 'ring_bearer' });
$authz->assign_user({ user => 'unittest', role =>
'ring_bearer' });
$authz->end_transaction;
$authz->save;
31
Role Based Access Control 12/22/12
32. Code Examples - Query Authz / 1
my $session = $authz->create_session({ user =>
'unittest', active_roles => [qw( ring_bearer )] });
# user unittest ops access on object_type ring from
indirect role tester inherited by assigned role
ring_bearer
die unless $authz->check_access({ session =>
$session, operation => 'access', object => { type
=> 'ring' } });
# user unittest ops wear on object_type ring from
assigned role ring_bearer
die unless $authz->check_access({ session =>
$session, operation => 'wear', object => { type =>
'ring' } });
32
Role Based Access Control 12/22/12
33. Code Examples - Query Authz / 2
# not able to destroy 'a pretty ring‘
die if $authz->check_access({ session => $session,
operation => 'destroy', object => { type => 'ring',
id => { name => 'a pretty ring' } } });
# but we can destroy 'the one ring‘
die unless $authz->check_access({ session =>
$session, operation => 'destroy', object => { type
=> 'ring', id => { name => 'the one ring' } } });
33
Role Based Access Control 12/22/12
34. Summary and Links
Summary
– There’s a lot to it, evolving standards
– Choice of library depends on language, platform, whether it’s
enterprise, any special requirements
– Authentication and Authorisation
– At the simplest, use roles
– Then look at a lattice
– More complex may require RBAC
Links
– Slides at http://miltonkeynes.pm.org
– Sandhu, R., Ferraiolo, D.F. and Kuhn, D.R. (July 2000). "
The NIST Model for Role Based Access Control: Toward a Unified Standard
" (PDF). 5th ACM Workshop Role-Based Access Control: 47-63.
Thank you. Any Questions?
34
Role Based Access Control 12/22/12