You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2014/10/27 16:56:02 UTC
svn commit: r1634581 - in /directory/site/trunk/content/fortress/user-guide:
1.3-what-rbac-is.mdtext 1.4-why-rbac-is-important.mdtext
1.5-how-to-impl-rbac.mdtext 1.6-go-for-more.mdtext images/ARbac.png
Author: elecharny
Date: Mon Oct 27 15:56:01 2014
New Revision: 1634581
URL: http://svn.apache.org/r1634581
Log:
Added some pages for fortress UG
Added:
directory/site/trunk/content/fortress/user-guide/1.4-why-rbac-is-important.mdtext
directory/site/trunk/content/fortress/user-guide/1.5-how-to-impl-rbac.mdtext
directory/site/trunk/content/fortress/user-guide/1.6-go-for-more.mdtext
directory/site/trunk/content/fortress/user-guide/images/ARbac.png (with props)
Modified:
directory/site/trunk/content/fortress/user-guide/1.3-what-rbac-is.mdtext
Modified: directory/site/trunk/content/fortress/user-guide/1.3-what-rbac-is.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/user-guide/1.3-what-rbac-is.mdtext?rev=1634581&r1=1634580&r2=1634581&view=diff
==============================================================================
--- directory/site/trunk/content/fortress/user-guide/1.3-what-rbac-is.mdtext (original)
+++ directory/site/trunk/content/fortress/user-guide/1.3-what-rbac-is.mdtext Mon Oct 27 15:56:01 2014
@@ -29,28 +29,28 @@ There is more to RBAC than using a Role
* ANSI INCITS 359-2001, [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf) - The ANSI specification describes RBAC and provides functional specifications in Z-notation.
<CENTER>
-![ANSI RBAC](images/ANSIRBAC-Spe.png)
+![ANSI RBAC](images/ANSIRBAC-Spec.png)
</CENTER>
-* RBAC0 - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.
+* <b>RBAC0</b> - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.
<CENTER>
![The Core](images/RbacCore.png)
</CENTER>
-* RBAC1 - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.
+* <b>RBAC1</b> - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.
<CENTER>
![Hierarchical RBAC](images/RbacHier.png)
</CENTER>
-* RBAC2 - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.
+* <b>RBAC2</b> - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.
<CENTER>
![Static Separation of Duties](images/RbacSSD.png)
</CENTER>
-* RBAC3 - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.
+* <b>RBAC3</b> - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.
<CENTER>
![Dynamic Separation of Duties](images/RbacDSD.png)
Added: directory/site/trunk/content/fortress/user-guide/1.4-why-rbac-is-important.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/user-guide/1.4-why-rbac-is-important.mdtext?rev=1634581&view=auto
==============================================================================
--- directory/site/trunk/content/fortress/user-guide/1.4-why-rbac-is-important.mdtext (added)
+++ directory/site/trunk/content/fortress/user-guide/1.4-why-rbac-is-important.mdtext Mon Oct 27 15:56:01 2014
@@ -0,0 +1,33 @@
+Title: 1.4 - Why is ANSI RBAC Important?
+NavPrev: 1.3-what-rbac-is.html
+NavPrevText: 1.3 - What ANSI RBAC is
+NavUp: 1-intro-rbac.html
+NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
+NavNext: 1.5-how-to-impl-rbac.html
+NavNextText: 1.5 - How to implement ANSI RBAC
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+# 1.4 - Why is ANSI RBAC Important?
+
+* Enforces the concept of least privilege. Granting users business functionality doesn't imply entitlements may be used at any time. For example a bank teller shouldn't withdrawal money from customer accounts outside of normal business hours or freelance contractors don't require access to production resources to do their jobs.
+
+* Enables Regulatory Compliance. Who has been granted authority to the most important resources? How can we be certain that terminiated employees and customers no longer have access to controlled resources?
+
+* Enforces separation of duty policies. For example traders must not be regulators or purchasing agents cannot approve transactions.
+
+* Eases administration costs due to elimination of redundant resources. Enable business units to be delegated administrative tasks.
Added: directory/site/trunk/content/fortress/user-guide/1.5-how-to-impl-rbac.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/user-guide/1.5-how-to-impl-rbac.mdtext?rev=1634581&view=auto
==============================================================================
--- directory/site/trunk/content/fortress/user-guide/1.5-how-to-impl-rbac.mdtext (added)
+++ directory/site/trunk/content/fortress/user-guide/1.5-how-to-impl-rbac.mdtext Mon Oct 27 15:56:01 2014
@@ -0,0 +1,68 @@
+Title: 1.5 - How to implement ANSI RBAC
+NavPrev: 1.4-why-rbac-is-important.html
+NavPrevText: 1.4 - Why is ANSI RBAC Important?
+NavUp: 1-intro-rbac.html
+NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
+NavNext: 1.6-go-for-more.html
+NavNextText: 1.6 - Where to go for more info
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+# 1.5 - How to implement ANSI RBAC
+
+* Learn using the SPEC
+
+* Pick a technology stack you are comfortable with based on current knowledge, SLAs, data storage, and support requirements.
+
+* Design a very simple RBAC data model. Eight objects are all that is needed.
+ * User, Role, Permission, Object, Operation, User-Role, Session, Constraints
+
+* Design a simple RBAC software model.
+ * Top layer called a Manager and contains a stable public API that external apps may call.
+ * Three managers, System, Admin, Review are all that is needed.
+ * The implementation the manager interface contains must be able to be be swapped out for another complete RBAC system without impacting dependent apps.
+ * External applications use RBAC Manager API to map to internal entitlement systems.
+ * Middle layer for RBAC system is optional and may be used for processing fine-grained data validations rules
+ * Bottom layer for accessing the actual data.
+ * Implementation may be swapped for other back ends without impacting Manager.
+ * LDAP, JDBC, Hibernate, JAX-WS, JAX-RS other technologies may be used here to manage the data
+
+* Don't ignore the Audit
+ * View before and after images of the data
+
+* Code first as a POC. Start with the core - RBAC0. Get it right first.
+
+* Test driven development and automation key contributors to successful outcome.
+ * Engage IT teams.
+ * Analyze existing IT entitlements.
+ * Use established role mining techniques.
+
+* Map existing IT entitlements to RBAC system using established role engineering techniques
+
+* Use parent roles as Business Roles and child roles as IT Roles.
+
+* Deploy RBAC system into application environment using established standards. Use declarative policy enforcement points like JEE security for coarse-grained, Spring for fine-grained.
+
+* Application teams own mapping between Business and IT roles.
+
+* Model administrative controls on ARBAC. More on ARBAC coming soon...
+
+<CENTER>
+ ![Administrative RBAC](images/ARbac.png)
+</CENTER>
+
+* Roll-out (Slow and steady starting out)
Added: directory/site/trunk/content/fortress/user-guide/1.6-go-for-more.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/user-guide/1.6-go-for-more.mdtext?rev=1634581&view=auto
==============================================================================
--- directory/site/trunk/content/fortress/user-guide/1.6-go-for-more.mdtext (added)
+++ directory/site/trunk/content/fortress/user-guide/1.6-go-for-more.mdtext Mon Oct 27 15:56:01 2014
@@ -0,0 +1,30 @@
+Title: 1.6 - Where to go for more info
+NavPrev: 1.5-how-to-impl-rbac.html
+NavPrevText: 1.5 - How to implement ANSI RBAC
+NavUp: 1-intro-rbac.html
+NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
+NavNext:
+NavNextText:
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+# 1.6 - Where to go for more info
+
+* Download the ANSI RBAC specification: [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf)
+
+* Download working ANSI RBAC reference implementation, like Fortress !
+
Added: directory/site/trunk/content/fortress/user-guide/images/ARbac.png
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/user-guide/images/ARbac.png?rev=1634581&view=auto
==============================================================================
Binary file - no diff available.
Propchange: directory/site/trunk/content/fortress/user-guide/images/ARbac.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream