Purdue CS 53600 - Location Awareness Extensions to X-GTRBAC

Unformatted text preview:

Location Awareness Extensions to X-GTRBACSummaryBackground: RBAC CentralPolicy Languages for RBAC*GEO-RBAC SnippetsCentral Ideas of GEO-RBACExampleCredentials in X-GTRBACPredicates in X-GTRBACSpatial StructuresSpatial Structures (example)Spatial ConstraintsSpatial Constraints ExampleRole SchemasRole Schema Example (I)Role Schema Example (II)Role Schema Example (III)Implemenation IssuesAcknowledgementsLocation Awareness Extensions toX-GTRBACDavid W. BettisCS526, Purdue UniversityFall 2005SummaryBackgroundRBACGEO-RBACX-GTRBACAdapting X-GTRBAC to GEO-RBACSpatial structure definitions (GML)Encoding spatial constraintsImplementationBackground: RBAC CentralRBAC – Role Based Access ControlBreaks the traditional link between users and permissions by inserting an intermediate entity called a “Role”Standardized by NISTTRBAC – Temporal RBACIntroduces temporal constraints on role activationGEO-RBAC – Spatially Aware RBACIntroduces geographic location as a further constraint on role activationsPolicy Languages for RBAC*X-RBAC – XML formulation to describe RBAC policiesX-GTRBAC – augmented version of X-RBAC to handleTemporal constraints (GTRBAC)A predicate evaluation framework to encode arbitrary policies (GTRBAC)Project goal: Describe GEO-RBAC policies in the X-GTRBAC framework.GEO-RBAC SnippetsSpatial informationAbsolute Representation – how to describe where things are wrt a reference modelGeometry: a spatial representation (e.g. Point at <45.89,74.07> for Earth)Logical Representation – items superimposed which have some semantic meaningFeature Type: type of logical representation (e.g. University)Feature: instance of a feature type (e.g. Purdue)Central Ideas of GEO-RBACSpatial Role<role_name, extent>, whereRole has the same meaning as in CORE RBACextent is a set of feature types where the role will be enabledRole Schema<role_name, extent, loc, mloc>Same as above, plusloc is a set of feature types where the user may bemloc maps absolute positions (geometries) to features of type locRole Instance<role_name, feature>role_name maps this role instance to a particular role schemafeature has a feature type that is compatible with extent aboverole is enabled if mloc(GPS) is contained in extentExampleRole schema:StudentSchema = <Student, University, Building, GPSBuilding>Role instance:PurdueStudent = StudentSchema(Purdue)IuStudent = StudentSchema(IU)Credentials in X-GTRBACX-GTRBAC has the concept of a credentialA credential is a container for a set of entity-defined attributesExample:<XCredTypeDef> <CredentialType cred_type_id=“cAge“> <AttributeList> <Attribute name=“age” type=“integer” /></XCredTypeDef><Role name=“RealAdult”> <CredType cred_type_id=“cAge“> <CredExpr> <Attribute name=“age">21</Attribute> </CredExpr> </CredType></Role>Predicates in X-GTRBACCredential attributes can be used in predicate functionsExample: <URA role_name=“Adult">… <Predicate> <Operator>gt </Operator> <FuncName>Entity.hasCredAttributeValue </FuncName> <ParamName order="1">age</ParamName> <RetValue>18 </RetValue> </Predicate>…</URA>Spatial StructuresNeed to have a way to represent features and geometries in XMLUse Geographic Markup Language (GML) as attributes in credentialsGML has the concepts of…Features, which have a set of pre-defined attributes (name, description, boundedBy), but are abstract, so depend on an application schemaGeometries, points, polygons, so on and so forth.Define an element <Feature> derived from <gml:_Feature> which has a single required element: gml:extentOfSpatial Structures (example)<Feature> <!-- optional descriptive metadata --> <gml:name>Purdue University-West Lafayette</gml:name> <gml:description>A fantastic school.</gml:description> <!-- This is the rectangular area defining Purdue. --> <gml:extentOf> <gml:Envelope> <gml:lowerCorner>0 0</gml:lowerCorner> <gml:upperCorner>100 100</gml:upperCorner> </gml:Envelope> </gml:extentOf></Feature>Spatial ConstraintsUse credentials to specify spatial constraintsThe <FuncName> needs to go and fetch the user’s absolute position and translate it to a featureAugment the set of operators with ‘contained_in’, which tests for geometric containmentSpatial Constraints Example<Role role_id="rSS" role_name=“PurdueStudent"> <EnabConstraint> <EnabCondition> <LogicalExpr> <Predicate> <Operator>contained_in</Operator> <FuncName>getCampusSector</FuncName> <RetValue><Feature>….</Feature></RetValue> </Predicate> </LogicalExpr> </EnabCondition> </EnabConstraint></Role>Role SchemasThis approach results in rather lengthy policy descriptionsWould rather have <Feature> not be duplicatedSo role schemas are implemented as credentials that reference other credentialsRole Schema Example (I)<Role role_id="rSS" role_name="StudentSchemaRole"> <CredType cred_type_id="cSS" type_name="StudentSchema"> <EnabConstraint> <EnabCondition> <LogicalExpr> <Predicate> <Operator>contained_in</Operator> <FuncName>Environment.getCampusSector</FuncName> <RetValue type="reference">campus</RetValue> </Predicate> </LogicalExpr> </EnabCondition> </EnabConstraint> </CredType></Role>Role Schema Example (II)<Role role_id="rSP" role_name="SPurdue"> <CredType cred_type_id="cSS" type_name="Student"> <CredExpr> <Attribute name="campus"> <Feature>… </Feature> </Attribute> </CredExpr> </CredType></Role>Users sign up for the role “SPurdue.” In evaluation, how do we know that SPurdue should look to StudentSchema for the enabling credentials?Role Schema Example (III)<XCredTypeDef xctd_id="Campus_XCTD"> <CredentialType cred_type_id="cS“ type_name="Student“ ref="StudentSchema"> <AttributeList> <Attribute name="campus" type="Feature" usage="mand" /> </AttributeList> </CredentialType> <CredentialType cred_type_id="cSS" type_name="StudentSchema" /></XCredTypeDef>Implemenation IssuesUse of Java reflection to allow user-defined functionsIntegral to the system because the mapping of absolute position to feature is application-dependentElementary type checking for attributes defined in a credential (previously limited to basic types such as ints and strings)AcknowledgementsRafae Bhatti, author of X-GTRBACMaria Luisa Damiani, integrating X-GTRBAC and GEO-RBACReferencesGEO-RBAC,


View Full Document

Purdue CS 53600 - Location Awareness Extensions to X-GTRBAC

Download Location Awareness Extensions to X-GTRBAC
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Location Awareness Extensions to X-GTRBAC and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Location Awareness Extensions to X-GTRBAC 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?