[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Draft] Draft proposal

To: hrac-rfp@cs.fiu.edu
Subject: [Draft] Draft proposal
From: Carol Burt <cburt@2ab.com>
Date: Wed, 26 Aug 1998 18:10:09 -0500
Sender: owner-hrac-rfp@cs.fiu.edu

Hi,

Sorry that neither Bob (Burt) or I were available for yesterday's call.  I
think you'll find the attached fulfills any homework assignments we might
have to propose types :-)  The attached has draft IDL and some amount of
text explaination.  I've discussed our ideas briefly with Bob Blakley since
the call and he seems to agree that our ideas are complementary, so where
we have divergent concrete proposals on the table, I think 2ab and IBM
agree that they don't represent two views of how to solve the problem... in
fact, although  the work was done in isolation, I think it is much the same
thinking and I'd intend to work to resolve any differences we might discover.

A primary difference is that Bob didn't go beyond the operations needed for
access control.  I did the administrative/management operations as well.
I'm sure this will generate some discussion.  I also tried to take into
account some of the requirments discussion I've overheard in the last few
months and extended the model a little.  See what you think.

Unfortunately, both Bob (Burt) and myself will be on an airplane at the
time slotted for the next conference call.  I do plan to attend the
submitters meeting at the OMG, but I am willing to look for a time that Bob
Blakley is available for the first meeting or merely drop back to a single
meeting and deal with this all via e-mail. 

Happy reading!   Both Bob Burt and myself will be on vacation from August
31 to September 8th..  I will then be at COMDEX Enterprise the rest of that
week, so post all your comments to the list and I'll try and look at them
before the OMG meeting... or we can discuss there.  I'm not ignoring
them... I'm just trying to sneak in a vacation.

Carol

HRACdraft.PDF

security1.2notes.pdf

//File: DfResourceAccessControl.idl 
// 

#ifndef _DF_RESOURCE_ACCESS_CONTROL_IDL_ 
#define _DF_RESOURCE_ACCESS_CONTROL_IDL_ 

#include <orb.idl>

#include "Security.idl"
#include "SecurityLevel2.idl"
#include "NamingAuthority.idl"

#pragma prefix "omg.org"

module DfResourceAccessControl
{ 

interface DynamicAttributeEval;              // forward

//*********************************************************
//         Basic Types
//*********************************************************

typedef SecurityLevel2::CredentialsList CredentialsList;
typedef Security::AttributeList AttributeList;
typedef Security::SecAttribute SecAttribute;
typedef Security::DelegationState DelegationState ;

enum PermissionControlModel {GRANTED_RIGHTS, DENIED_RIGHTS};

typedef sequence<boolean> Booleans;
typedef sequence<octet> ResourceKey;
typedef string ResourceType;

const ResourceType BASECLASS = "BASECLASS";    // NamingAuthority::QualifiedNameStr
const ResourceType SUBCLASSTYPE = "SUBCLASS";  
const ResourceType  ATOMICTYPE = "ATOMIC";    

struct ResourceNameComponent {
	string		 id;              
	ResourceType kind;       
};
typedef sequence<ResourceNameComponent> ResourceName;

struct DynamicAttrInfo {
	DynamicAttributeEval	evaluator;
	ResourceKey				key;
	AttributeList			dyn_attrs;
};

struct ResourceDef {
	ResourceNameComponent	local_name;     // Name & Kind
	PermissionControlModel	control_model;  // Denied or Granted rights
	boolean					supports_dynattr;
};
	
//typedef Security::ExtensibleFamily ExtensibleFamily;
//typedef Security::RightsCombinator RightsCombinator;

struct ExtensibleFamily {
	unsigned short	family_definer;
	unsigned short	family;
};

enum RightsCombinator {
	SecAllRights,
	SecAnyRight
};

// extension of Security::Right...

struct Right {
	PermissionControlModel control_model;
	ExtensibleFamily	rights_family;
	string		right;
};
typedef sequence<Right> RightsList;

typedef TimeBase::IntervalT IntervalT;
typedef sequence<IntervalT> TimeIntervals;


//***************************************************************
//     interface ResourceAccessPolicy
//***************************************************************

interface ResourceAccessPolicy{

	void add_rights(
		in 	SecAttribute    	  priv_attr,
		in	DelegationState       del_state,
		in	RightsList            rights,
		in	TimeIntervals	      deny_times
	);

	void remove_rights(
		in	SecAttribute          priv_attr,
		in	DelegationState       del_state,
		in	RightsList            rights
	);

      void replace_rights (
		in	SecAttribute    	  priv_attr,
		in	DelegationState       del_state,
		in	RightsList            rights, 
		in	TimeIntervals	      deny_times
	);

	RightsList get_rights (
		in	SecAttribute         priv_attr,
		in	DelegationState      del_state,
		in	ExtensibleFamily     rights_family
      );


};


//******************************************************************
//     interface ResourceRepository
//*****************************************************************

interface ResourceRepository {

	void create_resource_def (
		in 	ResourceDef resource);

	void delete_resource_def (
		in 	ResourceDef resource);

	void add_subclass (in ResourceName parent, 
			in ResourceDef child);

	void remove_subclass (in ResourceName parent,
			in ResourceName child);

	void add_dynattribute_support (
		in 	ResourceName name,
		in 	DynamicAttrInfo dynamic_info,
		in  AttributeList dyn_attrs);

	DynamicAttrInfo get_dynattribute_support(
		in ResourceName		name);

	void set_permission_control (
		in 	ResourceName name, 
		in 	PermissionControlModel control_model);

	void set_resource_key (
		in 	ResourceName name,
		in 	ResourceKey key);

// The wrapper around RequiredRights functionality

	void set_rights(
		in  string				intent,
		in 	ResourceName		resource_name,
		in 	RightsList			rights,
		in 	RightsCombinator	rights_combinator
	);

	void get_rights(
		in  string				intent,
		in 	ResourceName		resource_name,
		out RightsList			rights,
		out RightsCombinator	rights_combinator
	);
};


//******************************************************************
//     interface DynamicAttributeEval
//*****************************************************************

interface DynamicAttributeEval {

	boolean has_attribute(
		in	ResourceKey     resource_key,
		in  CredentialsList existing_credentials,
		in 	SecAttribute	dynamic_attr);
	Booleans has_attributes(
		in	ResourceKey     resource_key,
		in  CredentialsList existing_credentials,
		in 	AttributeList	dynamic_attrs);
};

//******************************************************************
//     interface AccessDecision
//*****************************************************************

interface AccessDecision {

	struct AccessDef {
		string			intent;
		ResourceName	name;
	};
	typedef sequence<AccessDef> MultipleAccessDef;

	boolean access_allowed(
		in  string			intent,
		in	ResourceName    name,
		in  CredentialsList credentials);

	Booleans multiple_access_allowed(
		in  MultipleAccessDef	requested_access,
		in  CredentialsList credentials);


};
};
#endif  // DfResourceAccessControl


_________________________________________________________
Carol Burt                                             2AB, Inc.
cburt@2ab.com                                     Integration Architects
205-621-7455                                        www.2ab.com
Member, OMG Architecture Board          OMG Domain Member

   --  integrating yesterday's systems with today's technology --

Prev by Date: Minutes: HRAC Submitters conference call August 25, 1998
Next by Date: [Draft] expected FAQ on my draft
Prev by thread: Minutes: HRAC Submitters conference call August 25, 1998
Next by thread: [Draft] expected FAQ on my draft
Index(es):
- Date
- Thread