Windows Role-Based Access Control Longhorn Update Dave McPherson Program Manager Windows Core...
-
Upload
kelly-miles -
Category
Documents
-
view
219 -
download
1
Transcript of Windows Role-Based Access Control Longhorn Update Dave McPherson Program Manager Windows Core...
Windows Windows Role-Based Access ControlRole-Based Access ControlLonghorn UpdateLonghorn Update
Windows Windows Role-Based Access ControlRole-Based Access ControlLonghorn UpdateLonghorn Update
Dave McPhersonDave McPhersonProgram ManagerProgram ManagerWindows Core SecurityWindows Core Security
AgendaAgendaRole-Based Access ControlRole-Based Access Control
Microsoft RBAC modelMicrosoft RBAC model
RBAC FuturesRBAC Futures
Authorization Manager (AzMan)Authorization Manager (AzMan)
AzMan Longhorn UpdateAzMan Longhorn Update
DemoDemo
Development ModelDevelopment Model
DiscussionDiscussion
Role-Based Access ControlRole-Based Access Control
Limits of object centric authorizationLimits of object centric authorizationHard to manage/queryHard to manage/queryProblems in distributed environmentsProblems in distributed environments
RBAC - Move focus of management from resources to rolesRBAC - Move focus of management from resources to rolesPermissions managed and queried at the rolePermissions managed and queried at the role
Roles are groups of people than need specific permissions Roles are groups of people than need specific permissions to do specific jobsto do specific jobs
Often align with organizational job descriptionsOften align with organizational job descriptionsApplication use casesApplication use cases
Roles vs. GroupsRoles vs. GroupsGroup is a collection of related peopleGroup is a collection of related people
Applies to security, email group, friends list, …Applies to security, email group, friends list, …
Roles grant specific permissionsRoles grant specific permissionsGroups w/ more featuresGroups w/ more features
Permissions, Scope, Separation of Power, …Permissions, Scope, Separation of Power, …
RoleRoleUser assignment of access rights to specific User assignment of access rights to specific resources needed to do a jobresources needed to do a job
OperationOperationLow-level permission in a applicationLow-level permission in a application
Task (Permission)Task (Permission)Group of operations that make sense to Group of operations that make sense to administratorsadministrators
ScopeScopeCollection of resources with common policyCollection of resources with common policy
Authorization Policy StoreAuthorization Policy Store Place to store authorization policyPlace to store authorization policy
Role-Based Access ControlRole-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role
Permissions
Users
Resources
Deployment
Design
RBAC ManagementRBAC Management
Policy StorePolicy StoreStorage in AD, XML, SQLStorage in AD, XML, SQL
RoleRolePermissions needed to Permissions needed to do a jobdo a job
TaskTaskWork units that make senseWork units that make sense
to administratorsto administrators
OperationOperationApplication action thatApplication action that
developer writes dedicateddeveloper writes dedicated
code for.code for.
DatabaseOperation
WebOperation
DirectoryOperation
PaymentSystem
Operation
AuditorApproverSubmitter
ChangeApprover
ApproveDeny
Payment
ApproveReject Report
SubmitReport
CancelReport
CheckStatus
XML SQL*
Policy Store
Role Definitions & Assignments, Role Definitions & Assignments, ScopesScopes
Submitter Auditor
Approver: Approver: QueryGroup_D1Mgrs QueryGroup_D1Mgrs Auditor: Auditor: Jane, LizzyJane, Lizzy
Approver: Approver: ADGroup_D2MgrsADGroup_D2Mgrs AuditorAuditor: : Jane, CharlieJane, Charlie
Submitter : Everyone : Everyone
Scope: Scope: Dept 01Dept 01
Scope: Scope: Dept 02Dept 02
Role DefinitionsApprover
Dept 01Dept 01Role Assignments:Role Assignments:
Dept 02Dept 02Role Assignments:Role Assignments:
Web ExpenseRole Assignments:
Scope: Scope: AppApp
ExpenseApplication
Organizational RBAC Organizational RBAC TodayToday
Web ExpenseApplication
SupplyApplication
3rd party Application
Use AD Groups to populate Application level Roles
AzMan
Employee Employee Employee
MIIS Rules +Management Agents
ACL’edApplication
Employee
Employee Role(AD Group)
RMApplication
Employee
RBAC Beyond LonghornRBAC Beyond Longhorn
Web ExpenseApplication
SupplyApplication
3rd party Application
Integrates DRM, provides for queries and compliance audits
Access ControlAuthoring / Provisioning
Services+ Connectors
ACL’edApplication
Authorization ManagerAuthorization Manager(An Application RBAC (An Application RBAC implementation)implementation)
ProductProductAdministration InterfacesAdministration InterfacesRuntime enforcementRuntime enforcementMulti-Application UIMulti-Application UI
PlatformsPlatformsWindows 2000Windows 2000Windows XPWindows XPWindows Server 2003Windows Server 2003Managed CodeManaged Code
Interop assembly (included on WS03, avail Interop assembly (included on WS03, avail XP, 2K)XP, 2K)
Authorization ManagerAuthorization Manager
AzMan v1 Goals and AzMan v1 Goals and FeaturesFeaturesGoalsGoals
Simple authorization that integrates platform featuresSimple authorization that integrates platform featuresRBAC model targeting applicationsRBAC model targeting applicationsSolution for Line of Business web applicationsSolution for Line of Business web applications
FeaturesFeaturesSimple RBAC model for applicationsSimple RBAC model for applications
Support for managed* or native applicationsSupport for managed* or native applications
BizRules (Authorization Rule)BizRules (Authorization Rule)Script to dynamically modify access decisionScript to dynamically modify access decision
Application GroupsApplication GroupsApplication specific, late-bound, flexibleApplication specific, late-bound, flexible
Authorization Policy StoreAuthorization Policy Store Place to store authorization policy (xml/AD/ADAM)Place to store authorization policy (xml/AD/ADAM)
AzMan MMC Common UIAzMan MMC Common UI
Multiple ApplicationsMultiple Applications
Application GroupsApplication GroupsStore-level (Global to Store-level (Global to Apps in Store )Apps in Store )
Assign Store-level Assign Store-level Groups to Application Groups to Application RolesRoles
New For LonghornNew For Longhorn
SQL Storage SupportSQL Storage SupportProvide SQL storage mechanismProvide SQL storage mechanismPopular request of departmental appsPopular request of departmental apps
Common RBAC queriesCommon RBAC queriesImproves RBAC managementImproves RBAC managementImproves performanceImproves performance
Expanded LDAP Query supportExpanded LDAP Query supportQueries on any DN (not just users)Queries on any DN (not just users)
Expanded BizRule supportExpanded BizRule supportSupport group membership based on rulesSupport group membership based on rulesADFS Claims, User attributes, etc.ADFS Claims, User attributes, etc.
New For LonghornNew For Longhorn
UI object picker customizationUI object picker customizationAdd support for Apps to provide ADAM Add support for Apps to provide ADAM object pickerobject picker
Enhanced / Debugging LoggingEnhanced / Debugging LoggingMore debugging APIMore debugging API
Improve V1 logging supportImprove V1 logging supportLog more events, easier to useLog more events, easier to use
Longhorn ImprovementsLonghorn Improvements
Simplify developer experience Simplify developer experience Role-definition objectRole-definition objectSimplify Biz Rule usageSimplify Biz Rule usage
Performance improvementsPerformance improvementsOptimized interfaces for managed Optimized interfaces for managed applicationapplication
Store creationStore creation
Application initializationApplication initialization
Pending Longhorn PlansPending Longhorn Plans
AD Application partition supportAD Application partition supportSupport deployment into NDNCsSupport deployment into NDNCs
Improved replication controlImproved replication control
Reduces deployment requirementsReduces deployment requirements
Improved delegationImproved delegationDelegate role assignment capabilitiesDelegate role assignment capabilities
Role-based AuthorizationRole-based Authorization
DemoDemoWeb Expense applicationWeb Expense application
AuthorizationPolicy Store
AuthorizationPolicy Store
Action performed in Action performed in server context on server context on behalf of client, behalf of client, Audits generated at Audits generated at front and back endfront and back end
Web browser Web browser client submits client submits expenseexpense
Server verifies Server verifies access against access against authorization authorization policy in policy in separate storeseparate store
WebWebExpenseExpense
Manager approves Manager approves expenseexpense
Development ModelDevelopment Model
AzMan Application ModelAzMan Application ModelTrusted SubsystemTrusted Subsystem
AuthorizationPolicy Store
AuthorizationPolicy Store
Action performed in Action performed in server context on server context on behalf of clientbehalf of client
Audits generated at Audits generated at front and back endfront and back end
Client RequestClient Request
Server verifies Server verifies access against access against authorization authorization policy in policy in separate storeseparate store
ResponseResponse
AzManAzManAPPAPP
Development ModelDevelopment ModelApplication DevelopmentApplication Development
Implement operationsImplement operationsMethods or functionsMethods or functions
Design TasksDesign TasksHigh level application activities – friendlyHigh level application activities – friendly
BizRule scriptsBizRule scriptsKeep em simple, Callback interface, Keep em simple, Callback interface, example:example:
AzBizRuleContext.BusinessRuleResult = FALSEAzBizRuleContext.BusinessRuleResult = FALSE
Amnt = AzBizRuleContext.GetParameter("Amnt")Amnt = AzBizRuleContext.GetParameter("Amnt")
if Amnt < 100 then if Amnt < 100 then AzBizRuleContext.BusinessRuleResult = TRUEAzBizRuleContext.BusinessRuleResult = TRUE
Declare Policy definition via scriptDeclare Policy definition via scriptOperations, Tasks (w/ BizRules), RolesOperations, Tasks (w/ BizRules), Roles
Set App = Set App = AzManStore.CreateApplication("Expense")AzManStore.CreateApplication("Expense")
App.CreateOperation(“retrieveForm")App.CreateOperation(“retrieveForm")
App.CreateOperation("queueRequest")App.CreateOperation("queueRequest")
Set Task=App.CreateTask("Submit Expense")Set Task=App.CreateTask("Submit Expense")
Task1.AddOperation CStr(“retrieveForm")Task1.AddOperation CStr(“retrieveForm")
Task1.AddOperation CStr("queueRequest“)Task1.AddOperation CStr("queueRequest“)
Development ModelDevelopment ModelInstallInstall
Development ModelDevelopment ModelRuntimeRuntime'------- at application boot --'------- at application boot --
AzPol.Initialize 0,"msldap://CN=MyStore,DC=…AzPol.Initialize 0,"msldap://CN=MyStore,DC=…
App = AzStore.OpenApplication("Expense")App = AzStore.OpenApplication("Expense")
'------- at client Connect --'------- at client Connect --
Context = App.InitializeClientContextFromContext = App.InitializeClientContextFrom
'------- on request --'------- on request --
Context.AccessCheck(“audit",Scope,OperationsContext.AccessCheck(“audit",Scope,Operations,Names,Values),Names,Values)
Authorization ManagerAuthorization ManagerKey BenefitsKey Benefits
Administrator BenefitAdministrator BenefitCommon application RBAC modelCommon application RBAC model
Simpler authorization policySimpler authorization policyBetter query supportBetter query support
Role based user provisioningRole based user provisioningOrganizational roles > App RolesOrganizational roles > App RolesDelegation (AD store)Delegation (AD store)
Common Administration EasyCommon Administration EasyHide complexity of operationsHide complexity of operationsDefining roles, tasks rareDefining roles, tasks rareMaintaining Roles & Groups simpleMaintaining Roles & Groups simple
Developer BenefitsDeveloper BenefitsSimple & Natural Role-based Simple & Natural Role-based DevelopmentDevelopment
Integrates managed or native apps.Integrates managed or native apps.
Advanced RBAC featuresAdvanced RBAC featuresBizRulesBizRules
Application Application GroupsGroups
Platform integrationPlatform integrationSupport for AD attributes and groupsSupport for AD attributes and groups
NT access tokenNT access token
Platform services do the hard workPlatform services do the hard workPolicy storage, Common UI Policy storage, Common UI
Built-in caching, Late-binding supportBuilt-in caching, Late-binding support
Windows Auditing integrationWindows Auditing integration
Leverage the systemLeverage the systemDon’t write your own access Don’t write your own access controlcontrolCostCost
Each authorization model expensive to design, Each authorization model expensive to design, develop, test and maintain and supportdevelop, test and maintain and support
TrainingTrainingEach authorization model must be learned by Each authorization model must be learned by administrators, PSSadministrators, PSS
SecuritySecurityFeatures like auditing, delegation of Features like auditing, delegation of administration, accurate group expansion are administration, accurate group expansion are important to access controlimportant to access control
© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.