The PERMIS Authorisation
Infrastructure
David Chadwick
D.W.Chadwick@kent.ac.uk
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
1
What is PERMIS?
• It is an authorisation infrastructure that takes care of all aspects
of authorisation
 Setting authorisation policies for computer resources i.e.
specifying who is allowed to do what to which resources
 Allocating credentials to users (as attributes or roles e.g.
professor, RA, PhD student etc.)
 Supports Distributed Credential Management (many trusted
people can be empowered to allocate credentials to users)
 Supports Dynamic Delegation of Authority i.e. allowing a user
with a specific credential to give it to someone else as and
when he wants to (without reference to a higher authority) if the
Delegation Policy allows it
 Makes access control decisions i.e. does the policy allow this
user to do what he is asking to do?
 Supports Hierarchical Role Based Access Controls, where
superior roles automatically inherit the privileges of subordinate
roles

Very secure, since policies and credentials
are digitally signed 2
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
PERMIS Authorisation System
Authentication
Service
Appln
PEP
PUSH
Initiator
Submit
Access
Request
Present
Access
Request
Target
GGF OGSA SAML Authz protocol
SAML Wrapper
Retrieve
Role ACs
(push)
getcreds
request/response
decision
request/response
The PERMIS Java API
User
Credentials
STS
PDP
PKI
User
CredentialsLDAP
Retrieve Policy
Directories and Role ACs (pull)
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
3
Creating Authorisation Policies
• Policies are specified in XML so that they can be
understood by the PERMIS PDP (Policy
Decision Point)
• Policies are digitally signed by their creator so
that they cannot be tampered with, and so that
the PDP knows it has a genuine policy
• Use the Policy Editor tool, a GUI that allows you
create simple PERMIS policies easily
– Hides XML from creator
– Displays policy in natural language
– Signs and stores policy in creator’s LDAP entry
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
4
Policy Editor
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
5
A Simple Policy
• All staff in the department can write files to
laser printer x, Jim the administrator can
write files, delete any files from the print
queue, pause the printing, and resume the
printing at the laser printer x. No-one else
is allowed access to the printer.
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
6
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
7
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
8
Allocating Credentials to Users
• Credentials are stored as digitally signed attribute
certificates (ACs) in LDAP directories
– So that PERMIS PDP knows they are genuine
– Allows distributed management. Different managers at
different sites can allocate different credentials to the
same or different users. Think of Plastic Cards!
• Three tools provided to do this
• Bulk loader
– script to search LDAP, find entries, add ACs to them
• Attribute Certificate Manager
– Graphical Interface for creating ACs and storing in LDAP
• Delegation Issuing Service
– Web service for issuing ACs
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
9
Distributed Management
of Credentials
LDAP
Directory
Attribute Certificates
LDAP
Directory
Push Mode
Application Gateway
LDAP
Directory
The PERMIS PMI API
Trusted Site
Managers
PERMIS API
Pull Mode Implementation
LDAP
Directory
JISC Middleware Security Workshop 20/10/05
Policy
ADF
The Boss
(Source of Authority)
© 2005 University of Kent.
10
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
11
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
12
What Applications are Supported
“out of the box”
• Any Globus Toolkit v3.3 and v4 application
(configured authorisation service)
• Any Shibboleth enabled application or
portal (commands to plug into httpd.conf)
• Any Apache web site (commands to plug
into httpd.conf)
• For other applications you need to write
the PEP and call PERMIS via its Java API
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
13
Futures
• More sophisticated RBAC features such
as Separation of Duties (DyCOM project)
• Dynamic Recognition of Authority
• Secure Audit Web Service
• Simple SAM
– PERMIS for Shibboleth sites that don’t want
strong cryptographic protection of their
policies
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
14
Dynamic Delegation of
Authority
Additional Info
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
15
Delegating Credentials in X.509 (2001)
Points to issuer
SOA
Bill
AC
Issues
AC to
Points to
holder
AA
Alice
Issues
AC to
End
Entity
JISC Middleware Security Workshop 20/10/05
Bob
© 2005 University of Kent.
16
The X.509 (2005) Delegation Service
Points to
holder
AC
SOA
Points to issuer
Bill Issues
Points to Issued On
Behalf Of
AC to
Issues
AC to
AA
Delegation
Policy
Alice
Issues
AC to
End
Entity
Delegation Policy
Issuing
Service (DIS)
Bob
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
17
Delegation Issuing web Service
Authenticate
DIS Client
(SSL)
Issue AC
-holder
-attributes
-validity time
Web service
interface
Policy
Issuer’s
AC
Credential
Validation
Service
PERMIS RBAC
Request
DIS
PEP
Authorisation
PDP
IssueAC
publishAC
Credential
LDAP
server
JISC Middleware Security Workshop 20/10/05
Delegation
Issuing
Policy
Sign
AC
© 2005 University of Kent.
18
Demonstration - Browser Access to DIS
LDAP
Web
browser Authentication
e.g. SSL or
Un/Pw
Delegation
Issuing
Policy
DIS Web Service
Web Service
Interface
Apache
JISC Middleware Security Workshop 20/10/05
© 2005 University of Kent.
19
Demonstration - Apache with PERMIS
RBAC Authorisation
Apache Server
User
request
Apache
Authentication
PERMIS
Protected
Resource
mod_
permis
Credential
LDAP
Server
JISC Middleware Security Workshop 20/10/05
LDAP
Directory
Authzn Policy
The PERMIS API
JNI
connector
CVS
PDP
Pull ACs
© 2005 University of Kent.
20