1 / 26

Controlling Collaborative Systems

Controlling Collaborative Systems. -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill. Access Control. Access Control. Collaborative Systems. Shared Resource. Requirements for Access Control Systems. The access control operations must be idempotent Scalability:

colin
Download Presentation

Controlling Collaborative Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controlling Collaborative Systems -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill

  2. Access Control Access Control Collaborative Systems Shared Resource

  3. Requirements for Access Control Systems • The access control operations must be idempotent • Scalability: • Need to support N-users, as well as distributed resources • Preferred Goals • Transparency • Ease of Administration

  4. Requirements for Access Control Systems • Access Control Systems are built in layers A U D I T Permissions Notifications

  5. Access Matrix . • Access specified on a per object basis • Each user is given certain permissions • To scale this further Access Control Lists are used • Systems that use AMs: Grove, RTCAL (central admin provides the permissions to all objects)

  6. ACL and CCL ACL CCL • Access Control Matrices are linked together to form ACLs for each object • Capability Lists are the opposite of ACLS, where users maintain which objects they have access to.

  7. Pros and Cons of ACLs • Easy to implement and maintain • Dynamic changing of rights hard • Needs knowledge of each users needs before hand. • Not always possible in a collaborative environment • Also each user/object needs to be explicitly given permissions

  8. Role Based Access Control (Sandhu et al) • Permissions are assigned to roles • User authenticates in a 2 step process Request Permissions Roles Users Role Resources

  9. RBAC (cont) • Notion of a session • Bound to a single user accessing the resource and the roles he needs • Needs a policy in place generic enough to accommodate all accesses • Did not allow for migration of roles within a single session

  10. Collaborative Environment Space Collaborative Environment Space Collaborative Environment Space Spatial Access Control Divides collaborative environment into spaces Collaborative Environment

  11. Spatial Access Control • Uses an access graph to allow for traversal between the various spaces • Further we can provide constraints in movement from space to space Space A User1 User1 Space B Space C User2

  12. Professor Student Student Student Student Professor Test Setting Taking the Test Correction Results

  13. Implementation Issues • Order of updates and notification matter • Cannot depend on a global clock to be synchronized Remove Access to Bob (Op2) Give Access to Bob (Op1) Permissions

  14. Solution for Order of Updates • Most fine-grained locking operations require “Total-Ordering” Check Update Counter > Local Remote Counter < Local Adopt Remote Counter X = Perform Operation

  15. Fine-Grained Access Control • Traditional Modes do not scale too well for N-users needing dynamic rights • Fast provision of permissions • Optimistic Locks and Access Control can provide native performance

  16. Optimistic Control • “Make the user ask forgiveness not permission” • A similar system exists in UNIX with sudo. • However, changes are permanent Fire in Building John John Move Resource Everyday access Resource Access Denied

  17. Optimistic Access Control • Needs different points of entry A U D I T ElevatedEntry Normal Entry Access Control Resource

  18. Optimistic Control New State Guaranteed Protection Compensating Transaction No Protection New State Transaction

  19. Auditing Optimism Resource Transaction Compensation Verify Verification Classes Users Integrity Rules must be verified at all times

  20. Simple Optimistic Access Control Verify Auth Modules Write to File Transaction Checker Logger File Log

  21. Case-Study: P2P Collaborative Systems • MOTION: Provides Access Control in a P2P environment • No Centralized Access Control • Scalability: • N-Users • N-Auth Modules • Dynamic Entry & Exit of Users • Role Based Access Control • L1 peer & L2 peer • L1 peers protect resources

  22. Architecture

  23. Improving Motion

  24. Summary • Access Control essential for maintaining a secure Collaborative Environment • Access Control can introduce lag and degrade a user’s experience • Optimistic Access Control algorithms can be used to allow user’s to experience native performance

  25. References: • Tolone, W., Ahn, G., Pai, T., and Hong, S. 2005. Access control in collaborative systems. ACM Comput. Surv. 37, 1 (Mar. 2005), 29-41. • Povey, D. 2000. Optimistic security: a new access control paradigm. In Proceedings of the 1999 Workshop on New Security Paradigms (Caledon Hills, Ontario, Canada, September 22 - 24, 1999). NSPW '99. ACM Press, New York, NY, 40-45. • Chengzheng Sun, "Optional and Responsive Fine-Grain Locking in Internet-Based Collaborative Systems," IEEE Transactions on Parallel and Distributed Systems ,vol. 13, no. 9,  pp. 994-1008, September, 2002. • Fenkam, P.; Dustdar, S.; Kirda, E.; Reif, G.; Gall, H., "Towards an access control system for mobile peer-to-peer collaborative environments," Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings. Eleventh IEEE International Workshops on , vol., no.pp. 95- 100, 2002 • Strom, R.; Banavar, G.; Miller, K.; Prakash, A.; Ward, M., "Concurrency control and view notification algorithms for collaborative replicated objects," Computers, IEEE Transactions on , vol.47, no.4pp.458-471, Apr 1998

  26. Questions ?

More Related