Secure Coding mailing list archives
Re: RBAC question
From: George Capehart <gwc () acm org>
Date: Mon, 16 Feb 2004 16:28:58 +0000
On Sunday 15 February 2004 06:22 am, avi wrote: <snip>
My questions to the list: - Did I misunderstand the model ?
Hello Avi, Yes, you did. The basic idea is that access to a system and the functions provided by the system is based on the notion of roles. A role is granted access privileges. Individuals are assigned (sometimes multiple) roles. A very good "first stop" for information on RBAC is at the NIST site: http://csrc.nist.gov/rbac. See especially the paper at the link at the bullet "Proposed Voluntary Consensus Standard _NIST_RBAC_STANDARD_.
- Any solutions ?
Yes. Audit trails are a major component of an RBAC-based system.
- Anyone else implement this model ? if so how ?
Yes. The breadth, depth and scope of the implementation varies widely in different implementations. It's been implemented in: - Some OSs - Solaris, AIX, Linux, etc. - but these implementations are pretty much limited to controlling access to OS-level objects. - Java - in the Java Authentication and Authorization Service (JAAS) - last time I looked, it wasn't very deep in that there was no "native" mechanism for handling the tough parts of RBAC like dynamic separation of duties, etc. - Access control subsystems like KeyNote (RFC 2704) and SESAME (https://www.cosic.esat.kuleuven.ac.be/sesame/) - On the NIST RBAC page there's a pointer for a "lite" PoC version that was built for Web-based applications. - Probably the most robust implementations are in commercial products that are built around the SESAME core. A robust implementation of RBAC for applications is complex. If you have more questions, I'd be happy to help off-list. Best regards, George Capehart -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "Does getiud(2) halt the spawning of child processes?" -- Unknown from a very old fortune cookie file
Current thread:
- RBAC question avi (Feb 15)
- Re: RBAC question Glenn and Mary Everhart (Feb 15)
- Re: RBAC question George Capehart (Feb 16)