A Practical Approach for Web Portal Security Using Roles

The SHANDS UF PORTAL

A Practical Approach for Web Portal Security Using Roles, Rules,Directories, and all that Stuff

The Roles Database

What is a roles database?

The Roles Database


A roles database is a mechanism used to assign a user access to data or applications.

The Roles Database


Access control information for an enterprise should be hosted centrally, and made available to remote applications as needed. (1)

The Roles Database


The Roles data model must be based on a robust design to enable extension and customization. (2)

The Roles Database


Roles should be thought of as a core service that other applications will use, much like LDAP or DNS. (2)

The Roles Database


Users

Role Permission

User Group Role

Group

Group Role Perm

Group Role

The UF data model.

The Roles Database


A typical implementation: assign a set of permissions to a group and role and then associate many users with the group and role…

The Roles Database


…in other words,who can do what to which data.

The Roles Database


Permission group role relationships tend to be very stable while user group role relationships change often.

The Roles Database


Permissions groups and roles should be centrally administrated because they define organizational security policy.

The Roles Database


Associating users with groups and roles should be de-centralized. Local administrators are familiar with employees and their functions.

The Roles Database

What is a role?

Role

The Roles Database

What is a role?

It depends who you talk to. Different dialects express similar concepts.

The Roles Database

What is a role?

In our model, a role defines a functional entity– e.g., “a sales manager”.

The Roles Database

What is a group?

Group

The Roles Database

What is a group?

A group is a logical way of combining and managing roles across a distributed enterprise.

The Roles Database

What is a group?

In our model, a group defines an organizational entity– e.g., “east region”.

The Roles Database

Group Role

Group

Role

Combining groups and roles

The Roles Database

Combining groups and roles

A group and role are combined to provide very granular security across a distributed enterprise. Here are a couple scenarios.

The Roles Database

Group WestRole Manager

A national company might have a regional manager for its two divisions…

Group EastRole Manager

The Roles Database


…each associated with a group defined to have a permission to access only to their own data…


The Roles Database

…while the national sales manager, being associated with both groups, has permission to access both.



The Roles Database

Group EastWestRole Manager

The data model supports

inheritance ... Group West

Role ManagerGroup East

Role Manager

The Roles Database

What are rules?

The Roles Database

What are rules?

Rules define corporate security policy and should be stored once and shared with other applications. Basically rules modify permissions.

The Roles Database

What are rules?

Role Perm

Group

Group Role Perm

Group Role

The Group Role Permissions

table stores access control

rules.

The Roles Database

What are rules?

Storing rules at the group role permission level means that security can be different across groups with the same role...

The Roles Database

What are rules?

...Shands at UF doctors will have different permissions and/or different rules than doctors at other Shands hospitals.

The Roles Database

What are rules?

Storing rules at the group role permission level also means that security will be consistent within the group role...

The Roles Database

What are rules?

…the rules and permissions will be the same for all Shands at UF doctors.

The Roles Database

How are rules implemented?

The Roles Database


Access control rules are stored in XACML format an emerging W3C

standard.

The Roles Database


It takes data and process together to define and implement a rule so XACL rules are interpreted by subroutines (objects).

The Roles Database


For example: A permission may be associated with multiple groups and roles...

The Roles Database


Loop through user/group/role Call security object If OK say yesEnd Loop

The Roles Database


Rules and User/Group/Role associations never change they can only expire. Use an effective timestamp and expire timestamp.

The Roles Database

What is a context?

The Roles Database

What is a context?

Users

User Group Role

Group Role

A user is associated with one (or more) User Group Role.

The Roles Database

Users

User Group Role

Group Role

A practicing physician might also be a an administrator...

The Roles Database

Users

User Group Role

Group Role

…so she is associated with two User Group Roles.

The Roles Database

Her portal functions are driven by her user group roles.

Tabs for each context

Menus are driven by Roles

The Roles Database

If she leaves her administrative position, her administrative security would expire.

The Roles Database

Her Administrator context would be unavailable to her; her Care Provider menus, preferences, and permissions would not be affected.

The Roles Database

What about profi les?

The Roles Database


Profi les allow a user to customize an application to suit their own personal preferences.

The Roles Database

Users

User Group Role

Group Role

Profiles are stored at the User Group Role level...


The Roles Database

…as XML to be easily shared with other applications.


The Roles Database

Where are profiles kept?

The Roles Database


Since profiles are kept at user group role level, preferences in one role may be different from preferences in a another role.

The directory

The Directory data model.

RelationshipEntity key uuid

Phone

eMail

Identifier

AddressName

Access Extension

The directory

The directory

The Directory data model

This is the meta Directory or the canonical source. Ultimately it must be the repository of all entities and feed other applications and LDAP.

The directory


A Directory Entity has two subtypes: person and organization...

Entity key uuid

Person Organization

The directory


New subtypes can be created as required.

Entity key uuid

New Type New Type

The directory


The Relationship table is one of the more interesting tables. It associates two directory entities…

Relationship

Entity key uuid

The directory


...person works-for organization is a simple example. Policy must dictate valid relationships.

Person

Organization

The directory


The Extension table is a CLOB that holds additional info in XML or other format...

Extension

The directory


<PROFILE> <MEDIC> <CONTEXT>Administrator </CONTEXT> </MEDIC></PROFILE>

The directory


The Access table tracks computer accounts. Access

The directory


The rest are fairly standard - address, name, email and etc. All have a one to many relationship to Entity and support multiple types.

The directory


The directory is populated by batch at this time and is fed from other sources but we must turn that around quickly.

A Portal Application

A group role application.


The calendar is a group role aware portal application.




Different calendars will show up in different contexts based upon a user’s profile data.



There are many more group role aware applications in our portal including customizable patient lists for doctors.

The Shands Uf portal

Review

The roles access control rulesThe directory relationships between entities

The Roles Database

Questions?

The Roles Database

Thank you!

The Roles Database

Sources

1. “The Roles Database at the Massachusetts Institute of Technology”, presentation by Jim Repa at EDUCAUSE Conference, October 29, 1999 http://www.educause.edu/ir/library/html/edu9942/edu9942.html

2. “Roles”, PowerPoint presentation by Ward Wilson, University of Florida DBA, 2002.

3. OASIS XML-based Access Control Markup Language (XACML) http://www.oasis-open.org/committees/docs

The Roles Database

Acknowledgments

1. Thanks to Michael Lucas for preparing the first draft and providing the design and layout for this presentation