28/10/2008
Role Based Access Control
9
Authorisation
Types / 1
simple
lauthenticated user has full access to system
lauth'd user has roles which each grant full access to a
sub-system, either as a process ('can register new users') or data ('can amend
customer records')
–the role acts effectively as a grouping mechanism
lLattice-Based Access Control (LBAC)
–users (subjects) mapped to objects (resources,
computers, applications)
lRole-Based Access Control (RBAC)
–users have hierarchical roles which have permissions
that grant operations
e.g. user "fred" has role "sysadmin" which has permission "security_edit" which grants operations "read" and "write" on security objects
instead user "fred" might have role "root" which inherits from role "sysadmin" those permissions
e.g. user "fred" has role "sysadmin" which has permission "security_edit" which grants operations "read" and "write" on security objects
instead user "fred" might have role "root" which inherits from role "sysadmin" those permissions
lRBAC with Access Control List extension
–users have roles which have permissions with a
precedence that grant operations on matched objects
e.g. user "jo" has role "editor" which has permission "food_recipes" which grants operations "read", "write", "delete" to objects "of type 'document' with file path matching '/home/recipes/*'“
e.g. user "jo" has role "editor" which has permission "food_recipes" which grants operations "read", "write", "delete" to objects "of type 'document' with file path matching '/home/recipes/*'“
lenterprise framework, e.g. PERMIS storing permissions
via OpenLDAP and authenticating against Windows ADS BBC SSO or
Shibboleth
complex
