david 卧chadwick.pptVIP

7 November 2001 ? 2001 TrueTrust Ltd 7 November 2001 Technology Appraisals ? 2001 TrueTrust Ltd PERMIS PMI David Chadwick X.812|ISO 10181 Access Control Framework ADF API AZN API System Structure PERMIS API System Structure PERMIS PMI Components Privilege Policy Schema/DTD This defines the meta rules that govern the creation of the Privilege Policy (Access Control Policy Rules) Privilege Allocator This tool allows an administrator to create and sign Attribute Certificates, including a Policy AC (this is a signed version of the Privilege Policy), and store them in an LDAP directory The PERMIS PMI Implementation This grants or denies Initiators access to resources, based on the Privilege Policy and the ACs of the Initiator. The ADF is accessed via the PERMIS API Application Specific Components The Access Enforcement Function Its task is to ensure the Initiator is authenticated by the PKI, then to call the ADF, and give access to the target if allowed The PKI Any standard conforming PKI can be used Java PKCS#11 Interface to the PERMIS PMI The Privilege Policy in XML This must be written according to the schema/DTD LDAP Directory To store the Policy and Initiator ACs PERMIS X.509 PMI RBAC Policy Role Based Access Control Policy written in XML Initiators are given Role Assignment ACs A role is loosely defined as any Attribute Type and Attribute Value Role values can form a hierarchy, where superiors inherit the privileges of their subordinates e.g. CTOPMTLTM ACs can be issued by any trusted AA Access is based on the Roles Published by XML.org at An Example Policy - the Header ?xml version=1.0 encoding=UTF-8? !DOCTYPE X.509_PMI_RBAC_Policy SYSTEM file://localhost/C:/research/permis/policy7.dtd X.509_PMI_RBAC_Policy OID=1.2.83448 Role Assignment Policy Components Subject Policy Specifies subject domains based on LDAP subtrees Role Hierarchy Policy Specifies hierarchy of role values SOA Policy Specifies who is trusted to issue ACs Role Assignment Policy Says which roles