Post on 05-Jul-2015
description
The SHANDS UF PORTAL
A Practical Approach for Web Portal Security Using Roles, Rules,Directories, and all that Stuff
The Roles Database
What is a roles database?
The Roles Database
What is a roles database?
A roles database is a mechanism used to assign a user access to data or applications.
The Roles Database
What is a roles database?
Access control information for an enterprise should be hosted centrally, and made available to remote applications as needed. (1)
The Roles Database
What is a roles database?
The Roles data model must be based on a robust design to enable extension and customization. (2)
The Roles Database
What is a roles database?
Roles should be thought of as a core service that other applications will use, much like LDAP or DNS. (2)
The Roles Database
What is a roles database?
Users
Role Permission
User Group Role
Group
Group Role Perm
Group Role
The UF data model.
The Roles Database
What is a roles database?
A typical implementation: assign a set of permissions to a group and role and then associate many users with the group and role…
The Roles Database
What is a roles database?
…in other words,who can do what to which data.
The Roles Database
What is a roles database?
Permission group role relationships tend to be very stable while user group role relationships change often.
The Roles Database
What is a roles database?
Permissions groups and roles should be centrally administrated because they define organizational security policy.
The Roles Database
What is a roles database?
Associating users with groups and roles should be de-centralized. Local administrators are familiar with employees and their functions.
The Roles Database
What is a role?
Role
The Roles Database
What is a role?
It depends who you talk to. Different dialects express similar concepts.
The Roles Database
What is a role?
In our model, a role defines a functional entity– e.g., “a sales manager”.
The Roles Database
What is a group?
Group
The Roles Database
What is a group?
A group is a logical way of combining and managing roles across a distributed enterprise.
The Roles Database
What is a group?
In our model, a group defines an organizational entity– e.g., “east region”.
The Roles Database
Group Role
Group
Role
Combining groups and roles
The Roles Database
Combining groups and roles
A group and role are combined to provide very granular security across a distributed enterprise. Here are a couple scenarios.
The Roles Database
Group WestRole Manager
A national company might have a regional manager for its two divisions…
Group EastRole Manager
The Roles Database
Group WestRole Manager
…each associated with a group defined to have a permission to access only to their own data…
Group EastRole Manager
The Roles Database
…while the national sales manager, being associated with both groups, has permission to access both.
Group WestRole Manager
Group EastRole Manager
The Roles Database
Group EastWestRole Manager
The data model supports
inheritance ... Group West
Role ManagerGroup East
Role Manager
The Roles Database
What are rules?
The Roles Database
What are rules?
Rules define corporate security policy and should be stored once and shared with other applications. Basically rules modify permissions.
The Roles Database
What are rules?
Role Perm
Group
Group Role Perm
Group Role
The Group Role Permissions
table stores access control
rules.
The Roles Database
What are rules?
Storing rules at the group role permission level means that security can be different across groups with the same role...
The Roles Database
What are rules?
...Shands at UF doctors will have different permissions and/or different rules than doctors at other Shands hospitals.
The Roles Database
What are rules?
Storing rules at the group role permission level also means that security will be consistent within the group role...
The Roles Database
What are rules?
…the rules and permissions will be the same for all Shands at UF doctors.
The Roles Database
How are rules implemented?
The Roles Database
How are rules implemented?
Access control rules are stored in XACML format an emerging W3C
standard.
The Roles Database
How are rules implemented?
It takes data and process together to define and implement a rule so XACL rules are interpreted by subroutines (objects).
The Roles Database
How are rules implemented?
For example: A permission may be associated with multiple groups and roles...
The Roles Database
How are rules implemented?
Loop through user/group/role Call security object If OK say yesEnd Loop
The Roles Database
How are rules implemented?
Rules and User/Group/Role associations never change they can only expire. Use an effective timestamp and expire timestamp.
The Roles Database
What is a context?
The Roles Database
What is a context?
Users
User Group Role
Group Role
A user is associated with one (or more) User Group Role.
The Roles Database
Users
User Group Role
Group Role
A practicing physician might also be a an administrator...
The Roles Database
Users
User Group Role
Group Role
…so she is associated with two User Group Roles.
The Roles Database
Her portal functions are driven by her user group roles.
Tabs for each context
Menus are driven by Roles
The Roles Database
If she leaves her administrative position, her administrative security would expire.
The Roles Database
Her Administrator context would be unavailable to her; her Care Provider menus, preferences, and permissions would not be affected.
The Roles Database
What about profi les?
The Roles Database
What about profi les?
Profi les allow a user to customize an application to suit their own personal preferences.
The Roles Database
Users
User Group Role
Group Role
Profiles are stored at the User Group Role level...
What about profi les?
The Roles Database
…as XML to be easily shared with other applications.
What about profi les?
The Roles Database
Where are profiles kept?
The Roles Database
What about profi les?
Since profiles are kept at user group role level, preferences in one role may be different from preferences in a another role.
The directory
The Directory data model.
RelationshipEntity key uuid
Phone
Identifier
AddressName
Access Extension
The directory
The directory
The Directory data model
This is the meta Directory or the canonical source. Ultimately it must be the repository of all entities and feed other applications and LDAP.
The directory
The Directory data model
A Directory Entity has two subtypes: person and organization...
Entity key uuid
Person Organization
The directory
The Directory data model
New subtypes can be created as required.
Entity key uuid
New Type New Type
The directory
The Directory data model
The Relationship table is one of the more interesting tables. It associates two directory entities…
Relationship
Entity key uuid
The directory
The Directory data model
...person works-for organization is a simple example. Policy must dictate valid relationships.
Person
Organization
The directory
The Directory data model
The Extension table is a CLOB that holds additional info in XML or other format...
Extension
The directory
The Directory data model
<PROFILE> <MEDIC> <CONTEXT>Administrator </CONTEXT> </MEDIC></PROFILE>
The directory
The Directory data model
The Access table tracks computer accounts. Access
The directory
The Directory data model
The rest are fairly standard - address, name, email and etc. All have a one to many relationship to Entity and support multiple types.
The directory
The Directory data model
The directory is populated by batch at this time and is fed from other sources but we must turn that around quickly.
A Portal Application
A group role application.
A Portal Application
The calendar is a group role aware portal application.
A group role application.
A Portal Application
A group role application.
Different calendars will show up in different contexts based upon a user’s profile data.
A Portal Application
A group role application.
There are many more group role aware applications in our portal including customizable patient lists for doctors.
The Shands Uf portal
Review
The roles access control rulesThe directory relationships between entities
The Roles Database
Questions?
The Roles Database
Thank you!
The Roles Database
Sources
1. “The Roles Database at the Massachusetts Institute of Technology”, presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999 http://www.educause.edu/ir/library/html/edu9942/edu9942.html
2. “Roles”, PowerPoint presentation by Ward Wilson, University of Florida DBA, 2002.
3. OASIS XML-based Access Control Markup Language (XACML) http://www.oasis-open.org/committees/docs
The Roles Database
Acknowledgments
1. Thanks to Michael Lucas for preparing the first draft and providing the design and layout for this presentation