The SHANDS UF PORTAL - PowerPoint PPT Presentation
1 / 77
Title: The SHANDS UF PORTAL
1
The SHANDS UF PORTAL
- A Practical Approach for Web Portal Security
Using Roles, Rules,Directories, and all that
Stuff
2
The Roles Database
- What is a roles database?
3
The Roles Database
- What is a roles database?
A roles database is a mechanism used to assign a
user access to data or applications.
4
The Roles Database
- What is a roles database?
Access control information for an enterprise
should be hosted centrally, and made available to
remote applications as needed. (1)
5
The Roles Database
- What is a roles database?
The Roles data model must be based on a robust
design to enable extension and customization. (2)
6
The Roles Database
- What is a roles database?
Roles should be thought of as a core service that
other applications will use, much like LDAP or
DNS. (2)
7
The Roles Database
- What is a roles database?
Group
Users
User Group Role
Group Role Perm
Group Role
Role
Permission
The UF data model.
8
The Roles Database
- What is a roles database?
A typical implementation assign a set of
permissions to a group and role and then
associate many users with the group and role
9
The Roles Database
- What is a roles database?
in other words, who can do what to which data.
10
The Roles Database
- What is a roles database?
Permission group role relationships tend to be
very stable while user group role relationships
change often.
11
The Roles Database
- What is a roles database?
Permissions groups and roles should be centrally
administrated because they define organizational
security policy.
12
The Roles Database
- What is a roles database?
Associating users with groups and roles should be
de-centralized. Local administrators are familiar
with employees and their functions.
13
The Roles Database
- What is a role?
Role
14
The Roles Database
- What is a role?
It depends who you talk to. Different dialects
express similar concepts.
15
The Roles Database
- What is a role?
In our model, a role defines a functional entity
e.g., a sales manager.
16
The Roles Database
- What is a group?
Group
17
The Roles Database
- What is a group?
A group is a logical way of combining and
managing roles across a distributed enterprise.
18
The Roles Database
- What is a group?
In our model, a group defines an organizational
entity e.g., east region.
19
The Roles Database
Combining groups and roles
Group
Group Role
Role
20
The Roles Database
- Combining groups and roles
A group and role are combined to provide very
granular security across a distributed
enterprise. Here are a couple scenarios.
21
The Roles Database
Group West Role Manager
Group East Role Manager
A national company might have a regional manager
for its two divisions
22
The Roles Database
Group West Role Manager
Group East Role Manager
each associated with a group defined to have a
permission to access only to their own data
23
The Roles Database
Group West Role Manager
Group East Role Manager
while the national sales manager, being
associated with both groups, has permission to
access both.
24
The Roles Database
The data model supports inheritance ...
Group EastWest Role Manager
Group West Role Manager
Group East Role Manager
25
The Roles Database
- What are rules?
26
The Roles Database
- What are rules?
Rules define corporate security policy and should
be stored once and shared with other
applications. Basically rules modify
permissions.
27
The Roles Database
- What are rules?
The Group Role Permissions table stores access
control rules.
Group
Group Role Perm
Group Role
Role
Perm
28
The Roles Database
- What are rules?
Storing rules at the group role permission level
means that security can be different across
groups with the same role...
29
The Roles Database
- What are rules?
...Shands at UF doctors will have different
permissions and/or different rules than doctors
at other Shands hospitals.
30
The Roles Database
- What are rules?
Storing rules at the group role permission level
also means that security will be consistent
within the group role...
31
The Roles Database
- What are rules?
the rules and permissions will be the same for
all Shands at UF doctors.
32
The Roles Database
- How are rules implemented?
33
The Roles Database
- How are rules implemented?
Access control rules are stored in XACML format
an emerging W3C standard.
34
(No Transcript)
35
The Roles Database
- How are rules implemented?
It takes data and process together to define and
implement a rule so XACL rules are interpreted by
subroutines (objects).
36
The Roles Database
- How are rules implemented?
For example A permission may be associated with
multiple groups and roles...
37
The Roles Database
- How are rules implemented?
Loop through user/group/role Call security
object If OK say yes End Loop
38
The Roles Database
- How are rules implemented?
Rules and User/Group/Role associations never
change they can only expire. Use an effective
timestamp and expire timestamp.
39
The Roles Database
- What is a context?
40
The Roles Database
- What is a context?
A user is associated with one (or more) User
Group Role.
Users
User Group Role
Group Role
41
The Roles Database
A practicing physician might also be a an
administrator...
Users
User Group Role
Group Role
42
The Roles Database
so she is associated with two User Group Roles.
Users
User Group Role
Group Role
43
The Roles Database
Her portal functions are driven by her user group
roles.
44
Tabs for each context
45
Menus are driven by Roles
46
The Roles Database
If she leaves her administrative position, her
administrative security would expire.
47
The Roles Database
Her Administrator context would be unavailable to
her her Care Provider menus, preferences, and
permissions would not be affected.
48
(No Transcript)
49
The Roles Database
- What about profiles?
50
The Roles Database
- What about profiles?
Profiles allow a user to customize an application
to suit their own personal preferences.
51
The Roles Database
- What about profiles?
Profiles are stored at the User Group Role
level...
Users
User Group Role
Group Role
52
The Roles Database
- What about profiles?
as XML to be easily shared with other
applications.
53
The Roles Database
- Where are profiles kept?
54
The Roles Database
- What about profiles?
Since profiles are kept at user group role level,
preferences in one role may be different from
preferences in a another role.
55
The directory
- The Directory data model.
56
The directory
Phone
Address
Name
Relationship
Entity key uuid
Identifier
Access
Extension
57
The directory
- The Directory data model
This is the meta Directory or the canonical
source. Ultimately it must be the repository of
all entities and feed other applications and LDAP.
58
The directory
- The Directory data model
A Directory Entity has two subtypes person and
organization...
Entity key uuid
Person
Organization
59
The directory
- The Directory data model
New subtypes can be created as required.
Entity key uuid
New Type
New Type
60
The directory
- The Directory data model
The Relationship table is one of the more
interesting tables. It associates two directory
entities
Entity key uuid
Relationship
61
The directory
- The Directory data model
...person works-for organization is a simple
example. Policy must dictate valid relationships.
Person
Organization
62
The directory
- The Directory data model
The Extension table is a CLOB that holds
additional info in XML or other format...
Extension
63
The directory
- The Directory data model
ltPROFILEgt ltMEDICgt ltCONTEXTgtAdministrator
lt/CONTEXTgt lt/MEDICgt lt/PROFILEgt
64
The directory
- The Directory data model
The Access table tracks computer accounts.
Access
65
The directory
- The Directory data model
The rest are fairly standard - address, name,
email and etc. All have a one to many
relationship to Entity and support multiple types.
66
The directory
- The Directory data model
The directory is populated by batch at this time
and is fed from other sources but we must turn
that around quickly.
67
A Portal Application
- A group role application.
68
A Portal Application
- A group role application.
The calendar is a group role aware portal
application.
69
(No Transcript)
70
A Portal Application
- A group role application.
Different calendars will show up in different
contexts based upon a users profile data.
71
A Portal Application
- A group role application.
There are many more group role aware applications
in our portal including customizable patient
lists for doctors.
72
The Shands Uf portal
- Review
The roles access control rules The directory
relationships between entities
73
The Roles Database
- Questions?
74
The Roles Database
- Thank you!
75
The Roles Database
- Sources
- The Roles Database at the Massachusetts
Institute of Technology, presentation by Jim
Repa at EDUCAUSE Conference, October 29, 1999
http//www.educause.edu/ir/library/html/edu9942/ed
u9942.html - Roles, PowerPoint presentation by Ward Wilson,
University of Florida DBA, 2002. - OASIS XML-based Access Control Markup Language
(XACML) http//www.oasis-open.org/committees/docs
76
The Roles Database
- Acknowledgments
- Thanks to Michael Lucas for preparing the first
draft and providing the design and layout for
this presentation
77
(No Transcript)
Recommended
CrystalGraphics Presentations
