JBoss Community

ManagementLayer RBAC

modified by Heiko Braun in JBoss AS 7 Development - View the full document

Role based access control to the AS7 management layer.

 

Core Concepts


When defining an RBAC model, the following conventions are useful:

  • Subject = A person or automated agent
  • Role = Job function or title which defines an authority level
  • Permissions = An approval of a mode of access to a resource
  • Action = An operation to execute on a resource
  • Constraint: Predicate that makes the permission valid in the context of the system state
  • Session = A mapping involving Subject, Role and/or Permissions

 

https://community.jboss.org/servlet/JiveServlet/downloadImage/102-47854-28-19855/450-235/PermissonModel2.png

 

Generic Requirements

  • Provide a usable (in terms of complexity), yet comprehensive base model
  • Provide a set of out-of-the-box roles & permissons that reflect common authorization requirements
  • Enable customizations/extension of the default scheme (i.e custom permissions, permission granularity)
  • Provide management operations to retrieve session information (i.e. roles assigned, permissions granted, etc)
  • Clearly distinguish security exceptions from other operation errors (i.e. custom response headers)
  • Mappability with existing authorisation schemes (i.e. JON)

 

Specific Requirements

 

  • Support permission enforcement that restricts visibility of model elements:
    Control visibility of resources (i.e. restrict visibility of server groups)
  • Suppor permission enforcement that restricts execution on model elements:
    Control execution on resources (i.e. lock down certain operations, distinguish read & read/write access)
  • The management layer needs to enforce permission regardless of the client type and availability:
    I.e. enformenent can not be delegated to the client only
  • Clients (CLI, Web) should indicate permissions prior to execution of management operations:
    I.e. grey out interface elements to emphasis lack of permissions

 

 

Use cases

 

See RBACUsecases

 

Advanced Topics

 

- Context based access control: i.e. Taking the connection into consideratin

- Support for role hierarchies: i.e. structuring roles to reflect an organizations lines of authority and responsibility

- Role constraints: i.e. mutual exclusive roles

- RBAC to manage RBAC itself

 

structuring roles to re  ect an organiza   tion  s lines of authority and resp onsibility

Comment by going to Community

Create a new document in JBoss AS 7 Development at Community