3. The Roles Database
What is a roles database?
A roles database is a
mechanism used to assign a user
access to data or applications.
4. The Roles Database
What is a roles database?
Access control information for an
enterprise should be hosted
centrally, and made available to
remote applications as needed. (1)
5. The Roles Database
What is a roles database?
The Roles data model must be
based on a robust design to enable
extension and customization. (2)
6. The Roles Database
What is a roles database?
Roles should be thought of as a
core service that other applications
will use, much like LDAP or DNS. (2)
7. The Roles Database
What is a roles database?
Users
Role Permission
User
Group Role
Group
Group
Role Perm
Group
Role
The UF data model.
8. The Roles Database
What is a roles database?
A typical implementation: assign a
set of permissions to a group
and role and then associate many
users with the group and role…
9. The Roles Database
What is a roles database?
…in other words,
who can do what to which data.
10. The Roles Database
What is a roles database?
Permission group role relationships
tend to be very stable while user
group role relationships change
often.
11. The Roles Database
What is a roles database?
Permissions groups and roles
should be centrally administrated
because they define organizational
security policy.
12. The Roles Database
What is a roles database?
Associating users with groups and
roles should be de-centralized.
Local administrators are familiar
with employees and their functions.
20. The Roles Database
Combining groups and roles
A group and role are combined
to provide very granular security
across a distributed enterprise.
Here are a couple scenarios.
21. The Roles Database
Group West
Group East
Role Manager
Role Manager
A national company might have a
regional manager for its two
divisions…
22. The Roles Database
Group West
Group East
Role Manager
Role Manager
…each associated with a group
defined to have a permission to
access only to their own data…
23. The Roles Database
Group West
Role Manager
Group East
Role Manager
…while the national sales
manager, being associated with
both groups, has permission to
access both.
24. The Roles Database
Group EastWest
Role Manager
The data model
supports
inheritance ...
Group West
Role Manager
Group East
Role Manager
26. The Roles Database
What are rules?
Rules define corporate security
policy and should be stored once
and shared with other applications.
Basically rules modify
permissions.
27. The Roles Database
What are rules?
Group
Group
Role Perm
Group
Role
Role Perm
The Group Role
Permissions
table stores
access control
rules.
28. The Roles Database
What are rules?
Storing rules at the group role
permission level means that
security can be different across
groups with the same role...
29. The Roles Database
What are rules?
...Shands at UF doctors will have
different permissions and/or
different rules than doctors at other
Shands hospitals.
30. The Roles Database
What are rules?
Storing rules at the group role
permission level also means that
security will be consistent within the
group role...
31. The Roles Database
What are rules?
…the rules and permissions will be
the same for all Shands at UF
doctors.
33. The Roles Database
How are rules implemented?
Access control
rules are stored
in XACML format
an emerging W3C
standard.
34.
35. The Roles Database
How are rules implemented?
It takes data and process together
to define and implement a rule so
XACL rules are interpreted by
subroutines (objects).
36. The Roles Database
How are rules implemented?
For example: A permission may be
associated with multiple groups
and roles...
37. The Roles Database
How are rules implemented?
Loop through user/group/role
Call security object
If OK say yes
End Loop
38. The Roles Database
How are rules implemented?
Rules and User/Group/Role
associations never change they
can only expire. Use an effective
timestamp and expire timestamp.
46. The Roles Database
If she leaves her administrative
position, her administrative security
would expire.
47. The Roles Database
Her Administrator context would be
unavailable to her; her Care Provider
menus, preferences, and permissions
would not be affected.
54. The Roles Database
What about profiles?
Since profiles are kept at user
group role level, preferences in one
role may be different from
preferences in a another role.
56. The directory
Phone
Name Address
Entity Relationship
key uuid
Identifier
eMail
Access Extension
57. The directory
The Directory data model
This is the meta Directory or the
canonical source. Ultimately it must
be the repository of all entities and
feed other applications and LDAP.
58. The directory
The Directory data model
A Directory Entity
has two subtypes:
person and
organization...
Entity
key uuid
Person Organization
59. The directory
The Directory data model
New subtypes can
be created as
required.
Entity
key uuid
New Type New Type
60. The directory
The Directory data model
The Relationship table is
Entity
one of the more interesting
key uuid
tables. It associates two
directory entities… Relationship
61. The directory
The Directory data model
...person works-for
organization is a simple
example. Policy must
dictate valid relationships.
Person
Organization
62. The directory
The Directory data model
The Extension table is a
CLOB that holds additional
info in XML or other
format...
Extension
63. The directory
The Directory data model
<PROFILE>
<MEDIC>
<CONTEXT>Administrator </CONTEXT>
</MEDIC>
</PROFILE>
64. The directory
The Directory data model
The Access table tracks
computer accounts. Access
65. The directory
The Directory data model
The rest are fairly standard - address,
name, email and etc. All have a one
to many relationship to Entity and
support multiple types.
66. The directory
The Directory data model
The directory is populated by batch at
this time and is fed from other
sources but we must turn that around
quickly.
68. A Portal
Application
A group role application.
The calendar is
a group role
aware portal
application.
69.
70. A Portal
Application
A group role application.
Different calendars will show up in
different contexts based upon a
user’s profile data.
71. A Portal
Application
A group role application.
There are many more group role
aware applications in our portal
including customizable patient lists
for doctors.
72. The Shands Uf
portal
Review
The roles
access control rules
The directory
relationships between entities
75. The Roles Database
Sources
1. “The Roles Database at the Massachusetts Institute of Technology”,
presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999
http://www.educause.edu/ir/library/html/edu9942/edu9942.html
2. “Roles”, PowerPoint presentation by Ward Wilson, University of Florida
DBA, 2002.
3. OASIS XML-based Access Control Markup Language (XACML)
http://www.oasis-open.org/committees/docs
76. The Roles Database
Acknowledgments
1. Thanks to Michael Lucas for preparing the first draft and providing the
design and layout for this presentation