The SHANDS UF PORTAL by aah15699

VIEWS: 163 PAGES: 77

									The SHANDS UF PORTAL




A Practical Approach for Web
Portal Security Using Roles, Rules,
Directories, and all that Stuff
The Roles Database


What is a roles database?
The Roles Database


What is a roles database?

   A roles database is a mechanism
   used to assign a user access to
   data or applications.
The Roles Database


What is a roles database?

   Access control information for an
   enterprise should be hosted
   centrally, and made available to
   remote applications as needed. (1)
The Roles Database


What is a roles database?

   The Roles data model must be
   based on a robust design to enable
   extension and customization.(2)
The Roles Database


What is a roles database?

   Roles should be thought of as a
   core service that other applications
   will use, much like LDAP or DNS.  (2)
The Roles Database


What is a roles database?
                     Group
Users

          User       Group    Group
        Group Role    Role   Role Perm

                     Role                Permission


        The UF data model.
The Roles Database


What is a roles database?

   A typical implementation: assign a
   set of permissions to a group
   and role and then associate many
   users with the group and role…
The Roles Database


What is a roles database?

   …in other words,
   who can do what to which data.
The Roles Database


What is a roles database?

   Permission group role relationships
   tend to be very stable while user
   group role relationships change
   often.
The Roles Database


What is a roles database?

   Permissions groups and roles
   should be centrally administrated
   because they define organizational
   security policy.
The Roles Database


What is a roles database?

   Associating users with groups and
   roles should be de-centralized.
   Local administrators are familiar
   with employees and their functions.
The Roles Database


What is a role?

                  Role
The Roles Database


What is a role?

   It depends who you talk to.
   Different dialects express similar
   concepts.
The Roles Database


What is a role?

   In our model, a role defines a
   functional entity– e.g., “a sales
   manager”.
The Roles Database


What is a group?

               Group
The Roles Database


What is a group?

   A group is a logical way of
   combining and managing roles
   across a distributed enterprise.
The Roles Database


What is a group?

   In our model, a group defines an
   organizational entity– e.g., “east
   region”.
The Roles Database


Combining groups and roles

              Group

              Group
               Role

              Role
The Roles Database


Combining groups and roles

  A group and role are combined to
  provide very granular security
  across a distributed enterprise.
  Here are a couple scenarios.
The Roles Database




    Group West     Group East
   Role Manager   Role Manager
  A national company might have a
  regional manager for its two
  divisions…
The Roles Database




     Group West     Group East
    Role Manager   Role Manager
  …each associated with a group
  defined to have a permission to
  access only to their own data…
The Roles Database




     Group West     Group East
    Role Manager   Role Manager
  …while the national sales manager,
  being associated with both groups,
  has permission to access both.
The Roles Database




The data model        Group EastWest
                       Role Manager
    supports
 inheritance ...
               Group West           Group East
              Role Manager         Role Manager
The Roles Database


What are rules?
The Roles Database


What are rules?

   Rules define corporate security
   policy and should be stored once
   and shared with other applications.
   Basically rules modify permissions.
 The Roles Database


 What are rules?

 The Group Role       Group

  Permissions         Group    Group
table stores access    Role   Role Perm

   control rules.     Role                Perm
The Roles Database


What are rules?

   Storing rules at the group role
   permission level means that
   security can be different across
   groups with the same role...
The Roles Database


What are rules?

   ...Shands at UF doctors will have
   different permissions and/or
   different rules than doctors at other
   Shands hospitals.
The Roles Database


What are rules?

   Storing rules at the group role
   permission level also means that
   security will be consistent within
   the group role...
The Roles Database


What are rules?

   …the rules and permissions will be
   the same for all Shands at UF
   doctors.
The Roles Database


How are rules implemented?
The Roles Database


How are rules implemented?
                   Access control
                  rules are stored
                 in XACML format
                 an emerging W3C
                     standard.
The Roles Database


How are rules implemented?

   It takes data and process together
   to define and implement a rule so
   XACL rules are interpreted by
   subroutines (objects).
The Roles Database


How are rules implemented?

   For example: A permission may be
   associated with multiple groups
   and roles...
The Roles Database


How are rules implemented?
   Loop through user/group/role
    Call security object
    If OK say yes
   End Loop
The Roles Database


How are rules implemented?
   Rules and User/Group/Role
   associations never change they can
   only expire. Use an effective
   timestamp and expire timestamp.
The Roles Database


What is a context?
The Roles Database


What is a context?

Users
                             A user is
                             associated with
          User
        Group Role
                     Group
                      Role
                             one (or more)
                             User Group
                             Role.
The Roles Database




Users                        A practicing
                     Group
                             physician might
          User
        Group Role    Role   also be a an
                             administrator...
The Roles Database




Users                        …so she is
                     Group
                             associated with
          User
        Group Role    Role   two User
                             Group Roles.
The Roles Database




                Her portal
                functions are
                driven by her
                user group roles.
Tabs for each context
Menus are driven by Roles
The Roles Database




If she leaves her administrative
position, her administrative security
would expire.
The Roles Database




Her Administrator context would be
unavailable to her; her Care Provider
menus, preferences, and permissions
would not be affected.
The Roles Database


What about profiles?
The Roles Database


What about profiles?

Profiles allow a user to customize an
application to suit their own personal
preferences.
The Roles Database


What about profiles?

Users
                             Profiles are
                             stored at the
          User
        Group Role
                     Group
                      Role
                             User Group
                             Role level...
The Roles Database


What about profiles?
                       …as XML to be
                       easily shared
                       with other
                       applications.
The Roles Database


Where are profiles kept?
The Roles Database


What about profiles?

Since profiles are kept at user group
role level, preferences in one role
may be different from preferences in
a another role.
The directory


The Directory data model.
The directory

     Name       Address        Phone


   Identifier   Entity      Relationship
                 key uuid



     eMail       Access      Extension
The directory


The Directory data model

This is the meta Directory or the
canonical source. Ultimately it must
be the repository of all entities and
feed other applications and LDAP.
The directory


The Directory data model

A Directory Entity            Entity
                              key uuid
has two subtypes:
person and           Person            Organization
organization...
The directory


The Directory data model

New subtypes can              Entity
                              key uuid
be created as
required.          New Type              New Type
The directory


The Directory data model

The Relationship table is       Entity
                                 key uuid
one of the more interesting
tables. It associates two     Relationship
directory entities…
The directory


The Directory data model

...person works-for              Person
organization is a simple
example. Policy must dictate   Organization
valid relationships.
The directory


The Directory data model

The Extension table is a
CLOB that holds additional   Extension
info in XML or other
format...
The directory


The Directory data model
<PROFILE>
 <MEDIC>
  <CONTEXT>Administrator </CONTEXT>
 </MEDIC>
</PROFILE>
The directory


The Directory data model

The Access table tracks
computer accounts.         Access
The directory


The Directory data model

The rest are fairly standard - address,
name, email and etc. All have a one
to many relationship to Entity and
support multiple types.
The directory


The Directory data model

The directory is populated by batch
at this time and is fed from other
sources but we must turn that around
quickly.
A Portal Application


A group role application.
A Portal Application


A group role application.

                      The calendar is a
                      group role aware
                      portal
                      application.
A Portal Application


A group role application.

Different calendars will show up in
different contexts based upon a
user’s profile data.
A Portal Application


A group role application.

There are many more group role
aware applications in our portal
including customizable patient lists
for doctors.
The Shands Uf portal


Review

 The roles
    access control rules
 The directory
   relationships between entities
The Roles Database


Questions?
The Roles Database


Thank you!
The Roles Database


Sources
1.   “The Roles Database at the Massachusetts Institute of Technology”,
     presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999
     http://www.educause.edu/ir/library/html/edu9942/edu9942.html
2.   “Roles”, PowerPoint presentation by Ward Wilson, University of Florida
     DBA, 2002.
3.   OASIS XML-based Access Control Markup Language (XACML)
     http://www.oasis-open.org/committees/docs
The Roles Database


Acknowledgments
1.   Thanks to Michael Lucas for preparing the first draft and providing the
     design and layout for this presentation

								
To top