wiki:Internal/Rbac/OrbitRbacDesign/OasisRbac

Version 21 (modified by hedinger, 18 years ago) ( diff )

Table of Contents

    1. Role-Based Access Control
    1. RBAC Reference Model
      1. Previous Work
      2. Design Issues
        1. ORBIT Design Goals and Threats
        1. Auditing Tools
        1. Consistency Checking
        1. NIST RBAC Software
        1. Solaris RBAC Software
        1. OASIS RBAC
        1. Designing Using Wiki
        1. Open Issues
    1. LDAP client / server implementation on ORBIT and WINLAB
    2. LDAP Resources
    3. LDAP References
    1. RBAC Resources
    2. RBAC References

OASIS RBAC

Presently http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml OASIS only supports core and hierarchical RBAC, but not static and dynamic sepraration of duty. As stated in the abstract of "Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML, v2.0" http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/access_control-xacml-2.0-rbac-profile1-spec-os.pdf OAS05a:

This specification defines a profile for the use of XACML in expressing policies that use role based access control (RBAC). It extends the XACML Profile for RBAC Version 1.0 to include a recommended AttributeId for roles, but reduces the scope to address only core and hierarchical RBAC. This specification has also been updated to apply to XACML 2.0.

Later, on page 4 in Section 1.3 Scope:

The policies specified in this profile assume all the roles for a given subject have already been enabled at the time an authorization decision is requested. They do not deal with an environment in which roles must be enabled dynamically based on the resource or actions a subject is attempting to perform. For this reason, the policies specified in this profile also do not deal with static or dynamic Separation of Duty (see

http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/ANSI+INCITS+359-2004.pdf ANSI-RBAC). A future profile may address the requirements of this type of environment.

http://www.oasis-open.org/archives/xacml/200402/msg00039.html Minutes of the 5 February 2004 XACML TC Meeting in which this document was approved includes issues raised by NIST.

The OASIS Technical Committee also produced the XACML Profile for Role Based Access http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/cd-xacml-rbac-profile-01.pdf OAS04 and the OASIS eXtensible Access Control Markup Language (xacml) v2.0. Thttp://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/access_control-xacml-2.0-saml-profile-spec-os.pdf OAS05b.

Yao, Moody, and Bacon present a model of OASIS RBAC and its support for active security http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p171-yao.pdf YMB01.

Bacon and Moody promote RBAC using XML for open, secure, widely distributed services iin http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p59-bacon.pdf BM02a, and Bacon, Moody, and Yao present a more in-depth preentation of OASIS Role-Based Access Control in http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p492-bacon.pdf BMY02.

Belokosztolszki and Eyers discuss shielding OASIS RBAC infrastructures from cyberterrorism http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/belokosztolszki03shielding.pdf BE03.

Dimmock, Belokosztolszki, Eyers, Bacon, and Moody compare trust management and distributed access control to OASIS and describe their Prolog-based OASIS implementaiton of a file storage and publication service for tlhe Grid http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/sacmat04-tbac.pdf DBEE04.

http://xml.coverpages.org/techSociety.html#security Markup Languages site.

Lorch, Proctor, Lepro, Kafura, and Shah describe some first experiences using XACML for access control in cistributed Systems http://orbit-lab.org/attachment/wiki/Internal/Rbac/RbacResources/p25-lorch.pdf LPLE03.

Jat Singh's review http://www.srcf.ucam.org/~js573/research/index.php?option=com_content&task=view&id=64&Itemid=49

Note: See TracWiki for help on using the wiki.