Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MIT ROLES DB CSG, May 2004 Previous Presentations • Talk given by Jim Repa at EDUCAUSE Conference (Long Beach, CA, Oct. 29, 1999) – http://web.mit.edu/rolesdb/www/educause/educause. html • Talk given by Jim Repa to Common Solutions Group (Chicago, Sept. 18, 1998) – http://web.mit.edu/rolesdb/www/csg/csg.html • Slides from Jim Repa's presentation of October 7, 1997 http://web.mit.edu/is/integration/presentation s/roles_10071997/ A new perspective • The MIT ROLES database is not a Roles Based Access Control (RBAC) system • It is a meta-authorization management system • An RBAC system could be built using the MIT ROLES system Characteristics • Applications and services do not query or update ROLES in real time. • Data is extracted from the database and transformed into native, legacy, format for consumption • We do not define a “role” that is then applied to a number of users • Roles does provide for inheritance of authorizations A Reminder • An Authorization = PERSON + FUNCTION + QUALIFIER • But the system also provides for starting and ending dates • In the future, an Authorization = object + FUNCTION +QUALIFIER The ROLES DB can be used to form • • • • • Tables in other databases Access Control Lists LDAP groups LDAP attributes or populating configuration files such as .k5login • It could even be used to help formulate policies within rule based systems. Obstacles to usage • Current access is via SQL*NET and Oracle • No APIs to ease access from native code • Benefits accrue to departmental administrators • Benefits do not accrue to system developers, system integrators, most of central IS&T Another obstacle • No support for real-time or programmatic updates of qualifiers • There are OKI OSIDs to address this issue but they have only been used against a test instance at this time Systems using ROLES in production • • • • • • • • • SAP financials Data Warehouse Human Resource systems NIMBUS budget system Graduate Admissions MIT ID database access to student information in data warehouse Environmental Health and Safety miscellaneous administration tasks Notable systems not using ROLES at this time • • • • • • • • • • • • • AFS PTS Moira web publication OCW central Active Directory Help desk tools including Casetracker, RT, Stock Answers and OLC Stellar any Library systems COEUS Student Information Systems MIT Events Calendar TechTime (Corporate Time) access to buildings, parking lots, machine rooms, hazardous labs, Some Statistics • The number of authorization functions defined: 185 • The number of individual authorizations currently defined: 63997 • The number of authorizations that have defined boundary dates: 1159, of these 980 created by department of Dean for Student Life • The number of AFS and NFS groups defined in Moira: 20955 • The number of other ACLs defined in Moira: 43215