Monday, 5 December 2016

Organization based access control

software development companies

Introduction: The current methods to access control and usage control depend on three entities: subject, action and object. Hence requiring a security policy contains in specifying security rules applying on the {subject, action, object} trio. It can be a authorization for some subject to understand some action on some object.One of the main goals of the OrBAC model is to permit the policy designer to describe a security policy independently of the application.
The selected method to achieve this goal is the overview of an abstract level.
  • Subjects are abstracted into characters. A role is a set of topics to which the same security rule apply.
  • Similarly, an activity is a set of events to which the same security rule apply.
  • And, a view is a set of substances to which the same security rule apply. 
Tools that integrate partly or entirely OrBAC concepts in their implementation.
  • MotOrBAC: MotOrBAC is an OrBAC security policy corrector
  • The OrBAC library: the OrBAC library is a set of Java classes which can deploy and understand OrBAC policies
  • Protekto: a tool established by the SWID company 
MotOrBAC is an execution of the OrBAC access control model. MotOrBAC aims at providing an OrBAC policy description tool. Moreover it can be used to simulate OrBAC policies. The GUI is open source. The OrBAC API, on top of which MotOrBAC has been established to help software developers to contain security mechanisms in their software.

The OrBAC Application Programing Interface is a Java library which has been recognized to programmatically deploy OrBAC policies. The API features the subsequent OrBAC policy editing capabilities:

  • Abstract policy specification: organizations, roles, activities, views, contexts, and abstract rules (permissions) can be used. This comprises organizations, roles, activities, and views hierarchies
  • Separation constraints and rules priorities can be stated to solve conflicts between abstract rules
  • Numerous languages can be used to traditional situations and object definitions. Simple ad-hoc languages have been defined to express time-based conditions or modest conditions on existing entities (subject, action or object) attributes. Two more powerful languages can be used, Java and Prolog, to be able to direct a wide variety of conditions
  • The administration policy, or AdOrBAC policy, related to an OrBAC policy can be stated using the same concepts and API methods 

The Protekto project contains in the development of a platform which allows security policy concentration by executing verification and approval functions in the similar platform. It uses the OrBAC model and standards like SAML 2.0, XACML 2.0 and OpenID 2.0. Open source libraries like OpenSAML, OpenID4Java and SunXACML have been recycled through development. The platform is contains three principal entities:
  • Protekto IDP (Identity Provider)
  • Protekto SP (Service Provider)
  • Protekto PDP (Policy Decision Point)
Each component connects with the others using SAML mails. The OpenID protocol is used in the Protekto IDP component which can authenticate a user by a password or OpenID. Protekto IDP is accountable for empowering subjects into roles and manages the subject attributes.

Protekto can be used to download content presented by the Protekto SP. In this case the Protekto PDP is questioned to know if the user trying to download content is authorized to do so. In order to guarantee that privacy is enforce

Conclusion: The description of the security policy is entirely parameterized by the organization so that it is possible to handle concurrently various security policies related with different organizations. The model is not limited to permissions, but also comprises the possibility to specify prohibitions and duties. From the three abstract units (roles, activities, views), abstract privileges are defined. And from theses abstract privileges, concrete rights are derived.

No comments:

Post a Comment