rbacdsl - slides from code generation 2014
DESCRIPTION
My slides from my talk at Code Generation 2014 in Cambridge, UK. rbacDSL is a text-based DSL for writing, verifying and correcting RBAC authorisation policies. It produces standard XACML policies that can be used with any XACML evaluation engine.TRANSCRIPT
![Page 1: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/1.jpg)
rbacDSL: a DSL for Role-Based Access Control
Lionel Montrieux <[email protected]>The Open University, Milton Keynes, UK
![Page 2: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/2.jpg)
Outline
• Background and overview (15 min.)
• Building an authorisation policy - live demo (20 min.)
• Try to think of a good example
• Bonus points for funny ones
• Current research and future directions (10 min.)
![Page 3: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/3.jpg)
Background
![Page 4: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/4.jpg)
Authentication, Authorisation
![Page 5: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/5.jpg)
RBAC [Sandhu00]
![Page 6: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/6.jpg)
XACML architecture
![Page 7: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/7.jpg)
XACML - Policies
• <PolicySet> <PolicyCombinationAlgorithm/> <Policy> <RuleCombinationAlgorithm/> <Rule effect=“Permit|Deny”> <Target/> <Condition/> </Rule> </Policy></PolicySet>
![Page 8: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/8.jpg)
XACML - Requests
• <Request> <Subject/> <Resource/> <Action/> <Environment/></Request>
![Page 9: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/9.jpg)
How it started
• rbacUML and rbacDSML
• OCL constraints
• “model smells”
• fixing incorrect models
• Rational Software Architect 8.0, UML profiles
![Page 10: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/10.jpg)
Scenarios?
• Granted: user should be able to perform a list of actions
• Forbidden: !Granted
• User-Role: role should be assigned to at least one user
• Object-Role: role should allow one to perform a list of actions on objects
• Object: at least one user should be able to perform an action on an object
![Page 12: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/12.jpg)
Current research and future directions
![Page 13: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/13.jpg)
Current (and past) research
• Automated model fixing (the whole model) [Montrieux13]
• Adaptive access control - automated reaction to inside threats [Bailey14]
• Dynamic access control - in progress
![Page 14: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/14.jpg)
Future directions
• Attributes and conditions support
• User-specific scenarios
• XACML PAP connectors, LDAP connectors
• Dynamic access control features
• Bidirectional graph transformations
![Page 15: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/15.jpg)
Any questions? email me: [email protected] the tool: https://github.com/lmcmontrieux/rbacDSL
![Page 16: rbacDSL - slides from Code Generation 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070318/557ad255d8b42add288b4ee8/html5/thumbnails/16.jpg)
References
• All publications I co-authored are available on http://oro.open.ac.uk (search for my name)
• [Sandhu00] Ravi S. Sandhu, David F. Ferraiolo, D. Richard Kuhn: The NIST model for role-based access control: towards a unified standard. ACM Workshop on Role-Based Access Control 2000:47-63
• XACML: eXtensible Access Control Modeling Language - OASIS - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
• Image on slide 6 re-created from http://www.xacml.info
• Images on slides 4 and 15 by J. Hardaway