Process based access control
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Process-Based Access Control PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

Process-Based Access Control. Steve Taylor and Mike Surridge IT Innovation Centre 11/04/05. Security Objectives. Regulate service behaviour resist unacceptable usage e.g. permitting users access to resources only if they have agreed to pay first!

Download Presentation

Process-Based Access Control

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Process based access control

Process-Based Access Control

Steve Taylor and Mike Surridge

IT Innovation Centre

11/04/05


Security objectives

Security Objectives

  • Regulate service behaviour

    • resist unacceptable usage

    • e.g. permitting users access to resources only if they have agreed to pay first!

  • Ensure only the right users can use services

    • resist unauthorised access

  • Ensure services can provide resources

    • resist denial of service


Process based access control pbac

Process-Based Access Control (PBAC)

  • Enforces business processes

  • Authorisation system

    • authentication of user ID performed externally

  • Protects Web Services

  • Access is determined by an authorisation triple:

    • user ID (subject)

    • process context (resource)

    • Web Service operation (action)


Pbac origins comb e chem

PBAC Origins: Comb-e-Chem


Business process enforcement

Business Process Enforcement

  • Stateful sequences

    • “you must pay before you can use my resource”

  • Contextualised process identifiers

    • “which crystal sample are we talking about?”

  • Authorisation depends on:

    • process state

    • user requesting access

    • requested operation

  • Business logic encoded in Web Service operations

    • all operations consult authorisation store

    • operations may update authorisation store

      • state transitions, new access rights


Example gria core services

trust

trust

open

tender

download

upload

run

transfer

Example: GRIA Core Services

Client Organisation A

Client Organisation B

Account

Account

Resources

Resources

Job

Service

Data

Service

Job

Service

Data

Service

Service Provider Organisation X

Service Provider Organisation Y


Contexts

Contexts

  • A context references a particular resource at a service provider, e.g:

    • account number, order number, crystal sample ID, etc

  • Quoted in communications

    • “your ref”

  • Contexts are hierarchical

    • “parent – child” relationships

    • e.g. an “order” context may be a sub-context of an account context and thus will bill the account


Contexts1

Contexts

Account 3

Resource Allocation 6

Job 24

Data 22

Data 19

Resource Allocation 7

Job 13

Data 11


Basic architecture

Basic Architecture

Authentication

Authorisation


Example operation

Example Operation


Example delegation operation

Example Delegation Operation


Pbac features summary

PBAC Features Summary

  • Highly flexible means of process enforcement

    • based on dynamic authorisation

  • Contextualised

    • hierarchical context relationships

  • Fine grained control of access

  • Supports server-side delegation


Pbac version 2

PBAC Version 2

  • Developed in Semantic Firewall project

  • Explicit dynamic policy representation

    • simpler API

    • helps protect against service errors

  • More flexible context model

    • not limited to hierarchical “factory” patterns

  • Standardised implementation

    • XACML for policy representation and authorisation API

    • X.509 / SAML for subject tokens


Gria gemss business model

GRIA/GEMSS Business Model


Interaction protocols

Interaction Protocols

  • Process role

    • specifies a resource user type

    • e.g. “Service Provider” or “Account Manager”

    • real users may be assigned process roles

  • Interaction Protocols

    • link between resource & process role

    • describe resource states, permitted actions and associated state transitions for a process role


Account service deployment ip

Account Service Deployment IP


Account management ip

Account Management IP


Account biller ip

Account Biller IP


Generalised process context

Generalised Process Context

Account 4

Billing Ref 4.43

Resource Allocation 6

Job 24

Data 22

Data 19

Data 11

Account 3

Billing Ref 3.12

Resource Allocation 7

Software

Licence 31

Job 13


Conclusion

Conclusion

  • PBAC addresses:

    • authorisation via business process enforcement

  • PBAC 1 is complete:

    • evaluated in GRIA

    • has proved flexible & powerful

  • PBAC 2 now being designed by SFW project

  • PBAC 2 will provide:

    • explicit process-based policies

    • more flexible context model

    • standards-based implementation


Process based access control1

Process-Based Access Control

Steve Taylor and Mike Surridge

IT Innovation Centre

11/04/05


  • Login