Heiko Braun [
https://community.jboss.org/people/heiko.braun] modified the document:
"ManagementLayer RBAC"
To view the document, visit:
https://community.jboss.org/docs/DOC-47854
--------------------------------------------------------------
Role based access control to the AS7 management layer.
*Core Concepts*
*
*
When defining an RBAC model, the following conventions are useful:
* Subject = A person or automated agent
* Role = Job function or title which defines an authority level
* Permissions = An approval of a mode of access to a resource
* Action = An operation to execute on a resource
* Constraint: Predicate that makes the permission valid in the context of the system state
* Session = A mapping involving Subject, Role and/or Permissions
https://community.jboss.org/servlet/JiveServlet/showImage/102-47854-28-19...
https://community.jboss.org/servlet/JiveServlet/downloadImage/102-47854-2...
*Generic Requirements*
* Provide a usable (in terms of complexity), yet comprehensive base model
* Provide a set of out-of-the-box roles & permissons that reflect common authorization
requirements
* Enable customizations/extension of the default scheme (i.e custom permissions,
permission granularity)
* Provide management operations to retrieve session information (i.e. roles assigned,
permissions granted, etc)
* Clearly distinguish security exceptions from other operation errors (i.e. custom
response headers)
* Mappability with existing authorisation schemes (i.e. JON)
*Specific Requirements*
* +Support permission enforcement that restricts visibility of model elements:
+Control visibility of resources (i.e. restrict visibility of server groups)
* +Suppor permission enforcement that restricts execution on model elements+:
Control execution on resources (i.e. lock down certain operations, distinguish read &
read/write access)
* +The management layer needs to enforce permission regardless of the client type and
availability:
+I.e. enformenent can not be delegated to the client only+
+
* +Clients (CLI, Web) should indicate permissions prior to execution of management
operations:+
I.e. grey out interface elements to emphasis lack of permissions
*Use cases*
See
https://community.jboss.org/docs/DOC-47856 RBACUsecases*
*
*Advanced Topics*
- Context based access control: i.e. Taking the connection into consideratin
- Support for role hierarchies: i.e. structuring roles to reflect an organizations lines
of authority and responsibility
- Role constraints: i.e. mutual exclusive roles
- RBAC to manage RBAC itself
structuring roles to re ect an organiza tion s lines of authority and resp onsibility
--------------------------------------------------------------
Comment by going to Community
[
https://community.jboss.org/docs/DOC-47854]
Create a new document in JBoss AS 7 Development at Community
[
https://community.jboss.org/choose-container!input.jspa?contentType=102&a...]