Monday, August 22, 2016

Apache Fortress: The easiest way to get full Role-based Access Control in Openstack Keystone

Role-based access control is not a generic term!

Role-Based Access Control was introduced as a formal model by David Ferraiolo and Richard Kuhn almost 25 years ago.
A role based access control (RBAC) policy bases access control decisions on the functions a user is allowed to perform within an organization. The users can not pass access permissions on to other users at their discretion.
Ten years later the same authors proposed RBAC as a formal standard in this paper with functional specs in Z-notation.
In 2004 the RBAC formal model was adopted by ANSI as a specification - INCITS 359.
RBAC model four components:
  1. Core RBAC
  2. Hierarchical RBAC
  3. Static Separation of Duty Relations
  4. Dynamic Separation of Duty Relations
Core RBAC includes sets of five basic data elements called users (USERS), roles (ROLES), objects (OBS), operations (OPS), and permissions (PRMS).
The RBAC model as a whole is fundamentally defined in terms of individual users being assigned to roles and permissions being assigned to roles. As such, a role is a means for naming many-to-many relationships among individual users and permissions. In addition, the core RBAC model includes a set of sessions (SESSIONS) where each session is a mapping between a user and an activated subset of roles that are assigned to the user.
So, ANSI RBAC Object Model has six basic elements:
  1. User – human or machine entity
  2. Role – a job function within an organization
  3. Object – maps to system resources
  4. Operation – executable image of program
  5. Permission – approval to perform an Operation on one or more Objects
  6. Session – contains set of activated roles for User