Re: RBAC question

[Glenn and Mary Everhart <Everhart () gce com>]

You have indeed misunderstood the model. The deal is that with users should
be assigned attributes or identifiers corresponding to roles they play.
Then you set protections based on the roles.

Reason for this added indirection is that it makes sense to say
"helpdesk people may have access to file X", instead of "Tom, Dick, and Harry
may have access to file X" so if one of the named users leaves or changes
duties, the list of "helpdesk people" can be updated once, rather than
having to update all the access control lists that might mention individuals.

You leave individuals logging in and accessing so the audit/forensics info
is preserved.


avi wrote:


Hello,

 This is my first time I am trying to ask the list,  so please bear with me... 


  According to my understanding of the Role Base Access Control (RBAC) model,
   the identified end user is checked against predefined role and then, 
   the process is running under the context of another predefined "generic" user

  (that defined for that specific role) that  is actually access
   the end resource (a table in DB for example).

 


  This means that the end user is not recorded in the DB log and that impose
   a problem from audit perspective.  
  Another concern is that monitoring and debugging tools will display the 
   "generic" user name so it will be a challenge to tie this process to the

   end user activity.

 


  My questions to the list:
    - Did I misunderstand the model ? 


    - Any solutions ?

    - Anyone else implement this model ? if so how ?

 


  Thank you in advance

 


  Avi Shvartz
<<<< "Children", I say plainly, "watch out for the baobabs!"  >>>>
<<<<       The Little prince by Antoine de Saint Exupery.     >>>>