Upload File

a pragmatic approach to rbac

16
A Pragmatic Approach to RBAC Oxford Computer Group Hugh Simpson-Wells Dave Nesbitt

Upload: kamuzu

Post on 05-Jan-2016

52 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

A Pragmatic Approach to RBAC. Oxford Computer Group Hugh Simpson-Wells Dave Nesbitt. What Are Roles?. “Organizational” roles – what we do at work “IT” roles – what we are permitted to do on a particular system or application Collections of privileges - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: A Pragmatic Approach to RBAC

A Pragmatic Approach to RBAC

Oxford Computer GroupHugh Simpson-WellsDave Nesbitt

Page 2: A Pragmatic Approach to RBAC

What Are Roles? “Organizational” roles – what we do at work “IT” roles – what we are permitted to do on a

particular system or application Collections of privileges Users (or groups of users) are assigned to roles and

inherit these privileges

John Smith(person)

administrator(role)

Permission

Permission

Permission

Page 3: A Pragmatic Approach to RBAC

Role-based Access Control

Standard access control is per user RBAC means managing access based on

a user’s role In AD, group membership is analogous to

role membership

Page 4: A Pragmatic Approach to RBAC

Access Control with Group Membership

Group access rights?

Token

Yes

Page 5: A Pragmatic Approach to RBAC

Application Roles Group memberships in AD are application roles if used

to manage permissions People will probably have more than one application

role They may have no direct relation to a person’s job title

John Smith“Sales Assistant”

AD Group 1

Permission

Permission

PermissionPermissionPermission

AD Group 2

SAP Role 1

SAP Role 2

PermissionPermissionPermission

Page 6: A Pragmatic Approach to RBAC

Enterprise Role Application Roles

Oxford Pragmatic Role Solution

“Sales Assistant”

AD Group 1

Permission

Permission

PermissionPermissionPermission

AD Group 2

SAP Role 1

SAP Role 2

PermissionPermissionPermission

John Smith

Jack Black

cn=sales assistants

ou=sales

Page 7: A Pragmatic Approach to RBAC

Role-Based Provisioning with MIIS

When provisioning using MIIS, our goal is to automatically put users into the right Application Roles

Could be a native role (SAP etc) Could be an AD group Could just be some atttributes Fine-grained authorization

But how? Manually – using an interface Automatically – being driven by data from another source such

as HR Pragmatically – a combination of both

Page 8: A Pragmatic Approach to RBAC

Role-Based Provisioning

AD

Consumer Systems

MIIS

ADAM

HR Export Users

Import Employee

Admin creates new user

Group

Which application roles does this user

need?

Role1, Role2

Group1

cn=group1cn=group2

Page 9: A Pragmatic Approach to RBAC

Manual Role Assignment

AD

Consumer Systems

MIIS

ADAM

HR Export Users

Import Employee

User Admin

Group

Group

Administrator adds user to an Enterprise role

MIIS reads the user’s role info

and makes provisioning

decisions

User object is imported to MIIS

Role1, Role2

Group1

cn=group1cn=group2

Page 10: A Pragmatic Approach to RBAC

Automatic Role Assignment

AD

Consumer Systems

MIIS

ADAM

HR Export Users

Import Employee

Group

Group

MIIS reads the user’s role info

and makes provisioning

decisions

User object exported to ADAM and put into an OU that has an Enterprise role(s) associated

with it, or put into ADAM groups with an Enterprise role

associated

Role1, Role2

Group1

cn=group1cn=group2

Page 11: A Pragmatic Approach to RBAC

Application Role Discovery with MIIS

AD

Consumer Systems

MIIS

ADAM

HR Import Role

Objects

Import Group

Objects

Create analogs of these roles as appRole objects in ADAM using

OUM

Import appRoles to MIIS & join to

groups/roles

Flow changes in role/group

memberships out as attribute flow

Page 12: A Pragmatic Approach to RBAC

Role Mining with MIIS

Import users from HR and target systems, including their current roles

Join them up Export them to a SQL 2005 instance Analyse the data to see the most common relationships

between HR jobTitle and permissions/roles Where there is a significant correlation, make that a de-

facto role for that job title Where there isn’t, do it manually. Come back in 6 months and check again.

Page 13: A Pragmatic Approach to RBAC

Role Mining with MIIS

AD

Consumer Systems

MIIS

ADAM

HR Join Users

Project users

Page 14: A Pragmatic Approach to RBAC

Role Mining with MIIS

userID HRJobTitle ADGroups System1Roles System2Roles

12345678 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12356789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12345690 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst

13456789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst

12121212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12314141 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

15113212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12532323 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

21235545 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst

21312312 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst

12343242 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

18283838 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

18282828 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

Page 15: A Pragmatic Approach to RBAC

Role Mining with MIIS

userID HRJobTitle ADGroups System1Roles System2Roles

12345678 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12356789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12345690 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst

13456789 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst

12121212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12314141 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

15113212 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

12532323 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

21235545 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app2 salesasst

21312312 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1, app3 salesasst

12343242 Sales Assistant cn=sales,ou=groups,dc=corp,dc=com app1 salesasst

18283838 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

18282828 Sales Manager cn=sales,ou=groups,dc=corp,dc=com; cn=managers,ou=groups,dc=corp,dc=com app1,app2, app3 salesasst, salesmgr

Page 16: A Pragmatic Approach to RBAC

Oxford Computer Groupwww.oxfordcomputergroup.com

tel +44 (0)8456 584425 fax +44 (0)8456 584426

[email protected]@oxfordcomputergroup.com


A Pragmatic Approach to Analyzing Customers

A PRAGMATIC APPROACH TO DISSEMINATE ROAD TRAFFIC

Pragmatic approach to_dds_security_2008

Data science on Big Data. Pragmatic approach

A PRACTICAL APPROACH - Pragmatic Institute

Pragmatic Approach and the Choice of Methods

Cloud Transformation: A Pragmatic Approach

A Pragmatic Approach to Semantic Repositories Benchmarking

The Success of a pragmatic Enterprise Architecture ... Success of a Pragmatic Enterprise Architecture Approach ... a blended approach to Enterprise Architecture ... of a pragmatic

Pragmatic Approach for After Sales Services

A PRAGMATIC APPROACH TO C.L. LEIPOLDT'S EARLY …

A pragmatic approach to sustainability

An RBAC Approach for Securing Access Control in a MAS Coordination Infrastructurelia.deis.unibo.it/~ao/pubs/pdf/2004/sasemas.pdf · 2005-05-05 · An RBAC Approach for Securing Access

Global Internet Privacy Rights - A Pragmatic Approach

Securing your web applications a pragmatic approach

A Pragmatic Approach for Message Modeling

Universal Relation Views: A Pragmatic Approach

Contextualizing Ontologies With Ontolight : A Pragmatic Approach

Pragmatic approach to research

A Pragmatic Approach To Billing Systems Evolution

Diabetes Insipidus: A Pragmatic Approach to Management

A PRAGMATIC APPROACH TO PANCHKARMA IN PREGNANCY

The Pragmatic Approach to ECM - Laserfiche Webinar

A Pragmatic Approach to Responsive Design

A SIMPLE, PRAGMATIC APPROACH TO PREVENTIVE MAINTENANCE …

Pragmatic Approach to Describing Solution Architectures

Defining User Research Methodologies: A Pragmatic Approach

Pragmatic Approach To Achieve Data Integrity & Compliance

Toward a More Pragmatic Approach to Morality: A Critical ... a More Pragmatic... · Toward a More Pragmatic Approach to Morality: A ... advanced stages of moral development are

Socio Pragmatic approach

Pragmatic Approach to Transitioning to UCS

Towards a pragmatic approach to anaphora

Data science on big data. Pragmatic approach

A pragmatic approach to continuous delivery

A pragmatic approach to integration