rbacdsl - slides from code generation 2014
DESCRIPTION
My slides from my talk at Code Generation 2014 in Cambridge, UK. rbacDSL is a text-based DSL for writing, verifying and correcting RBAC authorisation policies. It produces standard XACML policies that can be used with any XACML evaluation engine.TRANSCRIPT
rbacDSL: a DSL for Role-Based Access Control
Lionel Montrieux <[email protected]>The Open University, Milton Keynes, UK
Outline
• Background and overview (15 min.)
• Building an authorisation policy - live demo (20 min.)
• Try to think of a good example
• Bonus points for funny ones
• Current research and future directions (10 min.)
Background
Authentication, Authorisation
RBAC [Sandhu00]
XACML architecture
XACML - Policies
• <PolicySet> <PolicyCombinationAlgorithm/> <Policy> <RuleCombinationAlgorithm/> <Rule effect=“Permit|Deny”> <Target/> <Condition/> </Rule> </Policy></PolicySet>
XACML - Requests
• <Request> <Subject/> <Resource/> <Action/> <Environment/></Request>
How it started
• rbacUML and rbacDSML
• OCL constraints
• “model smells”
• fixing incorrect models
• Rational Software Architect 8.0, UML profiles
Scenarios?
• Granted: user should be able to perform a list of actions
• Forbidden: !Granted
• User-Role: role should be assigned to at least one user
• Object-Role: role should allow one to perform a list of actions on objects
• Object: at least one user should be able to perform an action on an object
Current research and future directions
Current (and past) research
• Automated model fixing (the whole model) [Montrieux13]
• Adaptive access control - automated reaction to inside threats [Bailey14]
• Dynamic access control - in progress
Future directions
• Attributes and conditions support
• User-specific scenarios
• XACML PAP connectors, LDAP connectors
• Dynamic access control features
• Bidirectional graph transformations
Any questions? email me: [email protected] the tool: https://github.com/lmcmontrieux/rbacDSL
References
• All publications I co-authored are available on http://oro.open.ac.uk (search for my name)
• [Sandhu00] Ravi S. Sandhu, David F. Ferraiolo, D. Richard Kuhn: The NIST model for role-based access control: towards a unified standard. ACM Workshop on Role-Based Access Control 2000:47-63
• XACML: eXtensible Access Control Modeling Language - OASIS - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
• Image on slide 6 re-created from http://www.xacml.info
• Images on slides 4 and 15 by J. Hardaway