a pragmatic approach to rbac
DESCRIPTION
A Pragmatic Approach to RBAC. Oxford Computer Group Hugh Simpson-Wells Dave Nesbitt. What Are Roles?. “Organizational” roles – what we do at work “IT” roles – what we are permitted to do on a particular system or application Collections of privileges - PowerPoint PPT PresentationTRANSCRIPT
A Pragmatic Approach to RBAC
Oxford Computer GroupHugh Simpson-WellsDave Nesbitt
What Are Roles? “Organizational” roles – what we do at work “IT” roles – what we are permitted to do on a
particular system or application Collections of privileges Users (or groups of users) are assigned to roles and
inherit these privileges
John Smith(person)
administrator(role)
Permission
Permission
Permission
Role-based Access Control
Standard access control is per user RBAC means managing access based on
a user’s role In AD, group membership is analogous to
role membership
Access Control with Group Membership
Group access rights?
Token
Yes
Application Roles Group memberships in AD are application roles if used
to manage permissions People will probably have more than one application
role They may have no direct relation to a person’s job title
John Smith“Sales Assistant”
AD Group 1
Permission
Permission
PermissionPermissionPermission
AD Group 2
SAP Role 1
SAP Role 2
PermissionPermissionPermission
Enterprise Role Application Roles
Oxford Pragmatic Role Solution
“Sales Assistant”
AD Group 1
Permission
Permission
PermissionPermissionPermission
AD Group 2
SAP Role 1
SAP Role 2
PermissionPermissionPermission
John Smith
Jack Black
cn=sales assistants
ou=sales
Role-Based Provisioning with MIIS
When provisioning using MIIS, our goal is to automatically put users into the right Application Roles
Could be a native role (SAP etc) Could be an AD group Could just be some atttributes Fine-grained authorization
But how? Manually – using an interface Automatically – being driven by data from another source such
as HR Pragmatically – a combination of both
Role-Based Provisioning
AD
Consumer Systems
MIIS
ADAM
HR Export Users
Import Employee
Admin creates new user
Group
Which application roles does this user
need?
Role1, Role2
Group1
cn=group1cn=group2
Manual Role Assignment
AD
Consumer Systems
MIIS
ADAM
HR Export Users
Import Employee
User Admin
Group
Group
Administrator adds user to an Enterprise role
MIIS reads the user’s role info
and makes provisioning
decisions
User object is imported to MIIS
Role1, Role2
Group1
cn=group1cn=group2
Automatic Role Assignment
AD
Consumer Systems
MIIS
ADAM
HR Export Users
Import Employee
Group
Group
MIIS reads the user’s role info
and makes provisioning
decisions
User object exported to ADAM and put into an OU that has an Enterprise role(s) associated
with it, or put into ADAM groups with an Enterprise role
associated
Role1, Role2
Group1
cn=group1cn=group2
Application Role Discovery with MIIS
AD
Consumer Systems
MIIS
ADAM
HR Import Role
Objects
Import Group
Objects
Create analogs of these roles as appRole objects in ADAM using
OUM
Import appRoles to MIIS & join to
groups/roles
Flow changes in role/group
memberships out as attribute flow
Role Mining with MIIS
Import users from HR and target systems, including their current roles
Join them up Export them to a SQL 2005 instance Analyse the data to see the most common relationships
between HR jobTitle and permissions/roles Where there is a significant correlation, make that a de-
facto role for that job title Where there isn’t, do it manually. Come back in 6 months and check again.
Role Mining with MIIS
AD
Consumer Systems
MIIS
ADAM
HR Join Users
Project users
Role Mining with MIIS
userID HRJobTitle ADGroups System1Roles System2Roles
12345678 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12356789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12345690 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst
13456789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst
12121212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12314141 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
15113212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12532323 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
21235545 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst
21312312 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst
12343242 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
18283838 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
18282828 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
Role Mining with MIIS
userID HRJobTitle ADGroups System1Roles System2Roles
12345678 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12356789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12345690 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst
13456789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst
12121212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12314141 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
15113212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
12532323 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
21235545 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst
21312312 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst
12343242 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst
18283838 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
18282828 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr
Oxford Computer Groupwww.oxfordcomputergroup.com
tel +44 (0)8456 584425 fax +44 (0)8456 584426
[email protected]@oxfordcomputergroup.com