Versions Compared

Old Version 5

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version 6

changes.mady.by.user Scott Prater

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add first-draft explanation of how role-based access control works

...

Role-based access control is a common pattern in security, providing extensible role-specific behavior while retaining straightforward management. This module creates a standard API to assign and query roles on Fedora objects.

Objects do not have permissions specified in their properties;  rather, objects have roles assigned, and then permissions are mapped onto roles elsewhere.  This makes it much easier to manage permissions globally:  rarely will masses of objects need to be updated if their permissions change.  Only the role-to-permission mapping will be updated.

The module does not define the set of roles that may be assigned. If you choose to configure a set of supported roles, then the roles assigned via this API will be validated.

Order of operation:

  • A user comes into the system.  They are assigned a principal:
    • If they authenticate through some authentication gateway, then their principal may be generated from some of the person's attributes;
    • If they don't authenticate, then they may be assigned a default principal (such as "guest").
      • Question:  do we have default principals?  Or only a default role, which is assigned if no principal is available?
  • The principal is then mapped onto one or more roles.  Roles are basically bundles of permissions.
  • The user then makes a request for a given object.  The Fedora PDP will then query the object for the roles it has assigned, compare that to the roles the use has attached to their principal, determine the permissions the user has on the given object, and approve or deny the specific request.
  • Based on the decision returned from the PDP, the Fedora PEP will approve or deny the request.

This module assigns roles to generic security principals, i.e. any class that implements java.security.Principal. Roles are serialized and matched against the principal name, a string property of the principal. All the principals used in your repository environment must have unique names. Other than that, you may use whatever principals you wish. This module does not validate principal names.