The shands uf portal
Download
1 / 77

The SHANDS UF PORTAL - PowerPoint PPT Presentation


  • 1207 Views
  • Updated On :

The SHANDS UF PORTAL. A Practical Approach for Web Portal Security Using Roles, Rules, Directories, and all that Stuff. The Roles Database. What is a roles database ?. The Roles Database. A roles database is a mechanism used to assign a user access to data or applications.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The SHANDS UF PORTAL' - betty_james


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The shands uf portal l.jpg

The SHANDS UF PORTAL

A Practical Approach for Web Portal Security Using Roles, Rules,Directories, and all that Stuff


The roles database l.jpg

The Roles Database

What is a roles database?


The roles database3 l.jpg

The Roles Database

A roles database is a mechanism used to assign a user access to data or applications.

What is a roles database?


The roles database4 l.jpg

The Roles Database

Access control information for an enterprise should be hosted centrally, and made available to remote applications as needed. (1)

What is a roles database?


The roles database5 l.jpg

The Roles Database

The Roles data model must be based on a robust design to enable extension and customization. (2)

What is a roles database?


The roles database6 l.jpg

The Roles Database

Roles should be thought of as a core service that other applications will use, much like LDAP or DNS. (2)

What is a roles database?


The roles database7 l.jpg

The Roles Database

Group

Users

What is a roles database?

User

Group Role

Group

Role

Group

Role Perm

Role

Permission

The UF data model.


The roles database8 l.jpg

The Roles Database

A typical implementation: assign a set of permissions to a group and role and then associate many users with the group and role…

What is a roles database?


The roles database9 l.jpg

The Roles Database

…in other words,

who can do what to which data.

What is a roles database?


The roles database10 l.jpg

The Roles Database

Permission group role relationships tend to be very stable while user group role relationships change often.

What is a roles database?


The roles database11 l.jpg

The Roles Database

Permissions groups and roles should be centrally administrated because they define organizational security policy.

What is a roles database?


The roles database12 l.jpg

The Roles Database

Associating users with groups and roles should be de-centralized. Local administrators are familiar with employees and their functions.

What is a roles database?


The roles database13 l.jpg

The Roles Database

What is a role?

Role


The roles database14 l.jpg

The Roles Database

It depends who you talk to. Different dialects express similar concepts.

What is a role?


The roles database15 l.jpg

The Roles Database

In our model, a role defines a functional entity– e.g., “a sales manager”.

What is a role?


The roles database16 l.jpg

The Roles Database

What is a group?

Group


The roles database17 l.jpg

The Roles Database

A group is a logical way of combining and managing roles across a distributed enterprise.

What is a group?


The roles database18 l.jpg

The Roles Database

In our model, a group defines an organizational entity– e.g., “east region”.

What is a group?


The roles database19 l.jpg

The Roles Database

Combining groups and roles

Group

Group

Role

Role


The roles database20 l.jpg

The Roles Database

A group and role are combined to provide very granular security across a distributed enterprise. Here are a couple scenarios.

Combining groups and roles


The roles database21 l.jpg

The Roles Database

Group West

Role Manager

Group East

Role Manager

A national company might have a regional manager for its two divisions…


The roles database22 l.jpg

The Roles Database

Group West

Role Manager

Group East

Role Manager

…each associated with a group defined to have a permission to access only to their own data…


The roles database23 l.jpg

The Roles Database

Group West

Role Manager

Group East

Role Manager

…while the national sales manager, being associated with both groups, has permission to access both.


The roles database24 l.jpg

The Roles Database

The data model supports inheritance ...

Group EastWest

Role Manager

Group West

Role Manager

Group East

Role Manager


The roles database25 l.jpg

The Roles Database

What are rules?


The roles database26 l.jpg

The Roles Database

Rules define corporate security policy and should be stored once and shared with other applications. Basically rules modify permissions.

What are rules?


The roles database27 l.jpg

The Roles Database

The Group Role Permissions table stores access control rules.

What are rules?

Group

Group

Role

Group

Role Perm

Role

Perm


The roles database28 l.jpg

The Roles Database

Storing rules at the group role permission level means that security can be different across groups with the same role...

What are rules?


The roles database29 l.jpg

The Roles Database

...Shands at UF doctors will have different permissions and/or different rules than doctors at other Shands hospitals.

What are rules?


The roles database30 l.jpg

The Roles Database

Storing rules at the group role permission level also means that security will be consistent within the group role...

What are rules?


The roles database31 l.jpg

The Roles Database

…the rules and permissions will be the same for all Shands at UF doctors.

What are rules?


The roles database32 l.jpg

The Roles Database

How are rules implemented?


The roles database33 l.jpg

The Roles Database

Access control rules are stored in XACML format an emerging W3C standard.

How are rules implemented?


The roles database35 l.jpg

The Roles Database

It takes data and process together to define and implement a rule so XACL rules are interpreted by subroutines (objects).

How are rules implemented?


The roles database36 l.jpg

The Roles Database

For example: A permission may be associated with multiple groups and roles...

How are rules implemented?


The roles database37 l.jpg

The Roles Database

Loop through user/group/role

Call security object

If OK say yes

End Loop

How are rules implemented?


The roles database38 l.jpg

The Roles Database

Rules and User/Group/Role associations never change they can only expire. Use an effective timestamp and expire timestamp.

How are rules implemented?


The roles database39 l.jpg

The Roles Database

What is a context?


The roles database40 l.jpg

The Roles Database

A user is associated with one (or more) User Group Role.

Users

What is a context?

User

Group Role

Group

Role


The roles database41 l.jpg

The Roles Database

A practicing physician might also be a an administrator...

Users

User

Group Role

Group

Role


The roles database42 l.jpg

The Roles Database

…so she is associated with two User Group Roles.

Users

User

Group Role

Group

Role


The roles database43 l.jpg

The Roles Database

Her portal functions are driven by her user group roles.




The roles database46 l.jpg

The Roles Database

If she leaves her administrative position, her administrative security would expire.


The roles database47 l.jpg

The Roles Database

Her Administrator context would be unavailable to her; her Care Provider menus, preferences, and permissions would not be affected.


The roles database49 l.jpg

The Roles Database

What about profiles?


The roles database50 l.jpg

The Roles Database

Profiles allow a user to customize an application to suit their own personal preferences.

What about profiles?


The roles database51 l.jpg

The Roles Database

Profiles are stored at the User Group Role level...

Users

What about profiles?

User

Group Role

Group

Role


The roles database52 l.jpg

The Roles Database

…as XML to be easily shared with other applications.

What about profiles?


The roles database53 l.jpg

The Roles Database

Where are profiles kept?


The roles database54 l.jpg

The Roles Database

Since profiles are kept at user group role level, preferences in one role may be different from preferences in a another role.

What about profiles?


The directory l.jpg

The directory

The Directory data model.


Slide56 l.jpg

The directory

Name

Address

Phone

Identifier

Entity

key uuid

Relationship

eMail

Access

Extension


The directory57 l.jpg

The directory

This is the meta Directory or the canonical source. Ultimately it must be the repository of all entities and feed other applications and LDAP.

The Directory data model


The directory58 l.jpg

The directory

A Directory Entity has two subtypes: person and organization...

Entity

key uuid

The Directory data model

Person

Organization


The directory59 l.jpg

The directory

New subtypes can be created as required.

Entity

key uuid

The Directory data model

New Type

New Type


The directory60 l.jpg

The directory

The Relationship table is one of the more interesting tables. It associates two directory entities…

Entity

key uuid

The Directory data model

Relationship


The directory61 l.jpg

The directory

...person works-for organization is a simple example. Policy must dictate valid relationships.

Person

The Directory data model

Organization


The directory62 l.jpg

The directory

The Extension table is a CLOB that holds additional info in XML or other format...

The Directory data model

Extension


The directory63 l.jpg

The directory

<PROFILE>

<MEDIC>

<CONTEXT>Administrator </CONTEXT>

</MEDIC>

</PROFILE>

The Directory data model


The directory64 l.jpg

The directory

The Access table tracks computer accounts.

The Directory data model

Access


The directory65 l.jpg

The directory

The rest are fairly standard - address, name, email and etc. All have a one to many relationship to Entity and support multiple types.

The Directory data model


The directory66 l.jpg

The directory

The directory is populated by batch at this time and is fed from other sources but we must turn that around quickly.

The Directory data model


A portal application l.jpg

A Portal Application

A group role application.


A portal application68 l.jpg

A Portal Application

The calendar is a group role aware portal application.

A group role application.


A portal application70 l.jpg

A Portal Application

Different calendars will show up in different contexts based upon a user’s profile data.

A group role application.


A portal application71 l.jpg

A Portal Application

There are many more group role aware applications in our portal including customizable patient lists for doctors.

A group role application.


The shands uf portal72 l.jpg

The Shands Uf portal

The roles

access control rules

The directory

relationships between entities

Review


The roles database73 l.jpg

The Roles Database

Questions?


The roles database74 l.jpg

The Roles Database

Thank you!


The roles database75 l.jpg

The Roles Database

  • “The Roles Database at the Massachusetts Institute of Technology”, presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999 http://www.educause.edu/ir/library/html/edu9942/edu9942.html

  • “Roles”, PowerPoint presentation by Ward Wilson, University of Florida DBA, 2002.

  • OASIS XML-based Access Control Markup Language (XACML) http://www.oasis-open.org/committees/docs

Sources


The roles database76 l.jpg

The Roles Database

  • Thanks to Michael Lucas for preparing the first draft and providing the design and layout for this presentation

Acknowledgments


ad