Process - Based Access Control Steve Taylor and Mike Surridge

advertisement
Process-Based Access Control
Steve Taylor and Mike Surridge
IT Innovation Centre
11/04/05
Security Objectives
• Regulate service behaviour
– resist unacceptable usage
– e.g. permitting users access to resources only if
they have agreed to pay first!
• Ensure only the right users can use services
– resist unauthorised access
• Ensure services can provide resources
– resist denial of service
Process-Based Access Control
(PBAC)
• Enforces business processes
• Authorisation system
– authentication of user ID performed externally
• Protects Web Services
• Access is determined by an authorisation triple:
–
–
–
user ID (subject)
process context (resource)
Web Service operation (action)
PBAC Origins: Comb-e-Chem
Authenticated
users
(New)
can send sample
Revoke users
(Data collection)
can request status
can monitor status
Unpack, enter data,
send confirmation
(Pending schedule)
can request status
Experiment finished + postprocess completed
(HKL available)
Schedule for tomorrow,
notify user
(Raw data available)
can request status
can download HKL
(Scheduled)
can request status
can monitor status
Structure determined
(structure data available)
Sample prepared,
notify user
(Structure available)
can request status
can download HKL
can download structure
(Ready to start)
can request status
can monitor status
(Prev. expt finishes)
Start new expt (launch control GUI),
notify user
Setup completed
New crystal ready
Publish data?
Archive data?
Timeout?
Discard unit cell
(Setup running)
can request status
can monitor status
can connect to conference
can download images
(Prep new crystal)
can request status
can conference?
can monitor?
Discard crystal
Abort
(Finished)
Business Process Enforcement
• Stateful sequences
– “you must pay before you can use my resource”
• Contextualised process identifiers
– “which crystal sample are we talking about?”
• Authorisation depends on:
– process state
– user requesting access
– requested operation
• Business logic encoded in Web Service operations
– all operations consult authorisation store
– operations may update authorisation store
– state transitions, new access rights
Example: GRIA Core Services
Client Organisation B
Client Organisation A
trust
trust
open
tender
upload
Account
Resources
Job
Service
Account
run
Data
Service
Service Provider Organisation X
download
Resources
transfer
Job
Service
Data
Service
Service Provider Organisation Y
Contexts
• A context references a particular resource at
a service provider, e.g:
– account number, order number, crystal sample ID,
etc
• Quoted in communications
– “your ref”
• Contexts are hierarchical
– “parent – child” relationships
– e.g. an “order” context may be a sub-context of an
account context and thus will bill the account
Contexts
Account 3
Resource Allocation 6
Job 24
Data 22
Resource Allocation 7
Job 13
Data 11
Data 19
Basic Architecture
Authentication
Authorisation
Example Operation
Client
Service Provider
Account Web Service
Account
Manager
user
getStatement
(Account Manager ID, acct35)
getStatement
operation
if DENY
SOAP Fault (“Not authorised”)
if PERMIT,
generate
statement
statement
checkAuthorised
(Account Manager ID, acct35,
“accountService.getStatement”)
PERMIT / DENY
PBAC
Example Delegation Operation
Client
Service Provider
Account Web Service
Account
Manager
user
enableAccess
(Account Manager ID,
acct35, delegateID)
enableAccess
operation
if DENY
SOAP Fault (“Not authorised”)
if PERMIT
checkAuthorised
(Account Manager ID, acct35,
“accountService.enableAccess”)
PERMIT / DENY
openAuthorisation
(delegateID, acct35,
“accountService.useAccount”)
OK
OK
PBAC
PBAC Features Summary
• Highly flexible means of process enforcement
– based on dynamic authorisation
• Contextualised
– hierarchical context relationships
• Fine grained control of access
• Supports server-side delegation
PBAC Version 2
• Developed in Semantic Firewall project
• Explicit dynamic policy representation
– simpler API
– helps protect against service errors
• More flexible context model
– not limited to hierarchical “factory” patterns
• Standardised implementation
– XACML for policy representation and authorisation API
– X.509 / SAML for subject tokens
GRIA/GEMSS Business Model
Credit
Bad
Start
Request
Account
Account
Requested
Credit
Good
No QoS
Confirmed
Request
QoS
Account
Opened
QoS
Settlement
Negotiating
QoS
Application(s)
Finished
QoS
Confirmed
Resource
Usage
Ends
Resources
Confirmed
Resource
Usage
Starts
Application(s)
Proceeding
Account
Closed
End
QoS
Settlement
Resources
Expired
QoS Terms
Breached
Interaction Protocols
• Process role
– specifies a resource user type
– e.g. “Service Provider” or “Account Manager”
– real users may be assigned process roles
• Interaction Protocols
– link between resource & process role
– describe resource states, permitted actions and
associated state transitions for a process role
Account Service Deployment IP
IP: A0
Role: Service provider
Context: AcctService
Start
End
Open()
All Accounts
Settled
Deploy
Service
Waiting for
Customers
Withdraw
Service
Closing
Accounts
Account Management IP
IP: A2
Role: Account manager
Context: AcctService.Acct
Start
[A0:Open]
Checking
Credit
Credit
Bad
End
Get
Statement()
Get
Statement()
Account
Purged
Credit
Good
UnTrust
User(DN)
Settled
Trust
User(DN)
Account
Settled
[A0:Withdraw]
Open
UnTrust
Biller(DN)
Close():
request
Get
Statement()
Trust
Biller(DN)
Close():
response
UnTrust
Biller(DN)
Closing
Get
Statement()
Account Biller IP
Generalised Process Context
Account 4
Billing Ref 4.43
Resource Allocation 6
Job 24
Resource Allocation 7
Data 22
Data 19
Data 11
Job 13
Account 3
Billing Ref 3.12
Software
Licence 31
Conclusion
• PBAC addresses:
– authorisation via business process enforcement
• PBAC 1 is complete:
– evaluated in GRIA
– has proved flexible & powerful
•
•
PBAC 2 now being designed by SFW project
PBAC 2 will provide:
–
–
–
explicit process-based policies
more flexible context model
standards-based implementation
Process-Based Access Control
Steve Taylor and Mike Surridge
IT Innovation Centre
11/04/05
Download