Re: [TRIPLESEC] JACC & RBAC

Sun, 07 Jan 2007 10:59:23 -0800 


On Jan 2, 2007, at 3:02 AM, Ersin Er wrote:


Hi (David),

I have two simple connected questions:

Is JACC basically a RBAC (Role Based Access Control) system?
If it's, do you think its model can be mapped onto the following RBAC model: 
http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf ?

The NIST model for RBAC is quite sophisticated and can meet most of
the RBAC model requirements. We cannot implement this fast and it's
not our first priority but I am just dropping an email to keep this in
mind. We would also like to support XACML and its RBAC module in the
future so we'll have a stable core and a service layer that can easily
be adopted by providers as JACC. Lots of TODO.. :-)
It took me a long time to actually read the paper.. still not quite done. I think we should be careful to make sure triplesec is consistent with the NIST model and implement as much as we can to start with.
JACC basically makes the role >> permission mapping specified in the j2ee/jee deployment descriptors somewhat more explicit, in particular specifying the java classes for the permissions. It leaves the identity >> role mapping up to the implementation. I'd say it's consistent with RBAC but not the whole story.
I'm thinking that perhaps we could implement the role hierarchy features of the NIST model by combining the role and profile object classes: i.e. each role could have subsidiary roles as well as granted and denied permissions. This might simplify the data model as well as making it more powerful. I haven't read the admin features part of the model yet.... this seems likely to be the hard part.
It does seem to me that with a role hierarchy it's only necessary for a user to be in one role at a time, since you can define the set of roles they are in to be yet another role.
I talked a bit with Alex about the user <> role association and I still don't think we've found a good solution: I'm not very happy with the current restriction of 1 user for a profile but don't really have a better idea. I don't yet see groups as providing a big improvement. 


thanks
david jencks





Cheers,

--
Ersin

Reply via email to