1 / 16

A Pragmatic Approach to RBAC

A Pragmatic Approach to RBAC. Oxford Computer Group Hugh Simpson-Wells Dave Nesbitt. What Are Roles?. “Organizational” roles – what we do at work “IT” roles – what we are permitted to do on a particular system or application Collections of privileges

kamuzu
Download Presentation

A Pragmatic Approach to RBAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Pragmatic Approach to RBAC Oxford Computer Group Hugh Simpson-Wells Dave Nesbitt

  2. What Are Roles? • “Organizational” roles – what we do at work • “IT” roles – what we are permitted to do on a particular system or application • Collections of privileges • Users (or groups of users) are assigned to roles and inherit these privileges Permission Permission Permission John Smith (person) administrator (role)

  3. Role-based Access Control • Standard access control is per user • RBAC means managing access based on a user’s role • In AD, group membership is analogous to role membership

  4. Access Control with Group Membership Group access rights? Yes Token

  5. Permission Permission Permission Permission Permission Permission Application Roles • Group memberships in AD are application roles if used to manage permissions • People will probably have more than one application role • They may have no direct relation to a person’s job title Permission AD Group 1 Permission AD Group 2 SAP Role 1 John Smith “Sales Assistant” SAP Role 2

  6. Permission Permission Permission Permission Permission Permission Oxford Pragmatic Role Solution Enterprise Role Application Roles Permission cn=sales assistants AD Group 1 Permission ou=sales AD Group 2 Jack Black SAP Role 1 “Sales Assistant” John Smith SAP Role 2

  7. Role-Based Provisioning with MIIS • When provisioning using MIIS, our goal is to automatically put users into the right Application Roles • Could be a native role (SAP etc) • Could be an AD group • Could just be some atttributes • Fine-grained authorization • But how? • Manually – using an interface • Automatically – being driven by data from another source such as HR • Pragmatically – a combination of both

  8. AD Role-Based Provisioning Admin creates new user ADAM Role1, Role2 MIIS HR Import Employee Export Users Consumer Systems Group1 Which application roles does this user need? cn=group1 cn=group2

  9. AD Manual Role Assignment User Admin ADAM Administrator adds user to an Enterprise role User object is imported to MIIS Role1, Role2 MIIS HR Import Employee Export Users Consumer Systems Group1 MIIS reads the user’s role info and makes provisioning decisions cn=group1 cn=group2

  10. AD Automatic Role Assignment User object exported to ADAM and put into an OU that has an Enterprise role(s) associated with it, or put into ADAM groups with an Enterprise role associated ADAM Role1, Role2 MIIS HR Import Employee Export Users Consumer Systems Group1 MIIS reads the user’s role info and makes provisioning decisions cn=group1 cn=group2

  11. AD Application Role Discovery with MIIS Create analogs of these roles as appRole objects in ADAM using OUM ADAM Import appRoles to MIIS & join to groups/roles MIIS HR Flow changes in role/group memberships out as attribute flow Import Role Objects Consumer Systems Import Group Objects

  12. Role Mining with MIIS • Import users from HR and target systems, including their current roles • Join them up • Export them to a SQL 2005 instance • Analyse the data to see the most common relationships between HR jobTitle and permissions/roles • Where there is a significant correlation, make that a de-facto role for that job title • Where there isn’t, do it manually. • Come back in 6 months and check again.

  13. AD Role Mining with MIIS ADAM MIIS HR Project users Join Users Consumer Systems

  14. Role Mining with MIIS

  15. Role Mining with MIIS

  16. Oxford Computer Group www.oxfordcomputergroup.com tel +44 (0)8456 584425 fax +44 (0)8456 584426 dave.nesbitt@oxfordcomputergroup.com neil.coughlan@oxfordcomputergroup.com

More Related