Patent Application
20120131646
BACKGROUND
1. Field of the Invention
The present invention relates to access control in a computer system, and more particularly to role-based access control.
2. Background of the Related Art
Role Based Access Control (RBAC) is an approach to computer system security wherein the permissions or authorizations to perform specific operations are granted to users based on assigned roles. In RBAC, different roles are created, each of which can be associated with a different set of authorizations. Different roles are selectively assigned to users, such that each user obtains authorizations according to one or more roles assigned to that user. RBAC can be applied to an organization, for example, wherein different job functions require access to different system commands or applications. Roles are typically defined according to the scope of managing one or more administrative aspects of the environment. For example, one management role might be to manage the file systems, while another role might be to enable the creation of user accounts.
RBAC offers a number of features not offered in other forms of system administration. One benefit of RBAC is that system administration responsibilities can be shared among users without sharing system access credentials among those users. Security is isolated through granular administration, such that each administrator is conferred only the necessary set of privileges. Granting users and applications a limited set of privileges reduces the likelihood or severity of a system attack. RBAC also allows for implementing and enforcing company-wide security policies consistently in regard to system management and access control. RBAC is flexible, providing a role definition that can be created once, and then selectively assigned or withdrawn from users on an as-needed basis, such as when a user changes job functions.
One embodiment provides a Role Based Access Control (RBAC) system including a privileged command database, a privileged client database, and an access control module in communication with the privileged command database and the privileged client database. The privileged command database associates one or more privileged commands with one or more user-assignable roles, such that each role authorizes access to a different subset of privileged commands. The privileged client database restricts access to specified privileged commands from specified client systems under specified roles. The access control module provides a user access to a selected privileged command from a selected client system if the user has an assigned role authorizing access to the selected privileged command according to the privileged command database and if access to the selected privileged command from the selected client system is authorized under the assigned role according to the privileged client database.
Another embodiment provides a method for controlling access in an RBAC system. A plurality of roles are defined, wherein each role authorizes access to a different subset of privileged, computer-executable commands. The roles are selectively assigned to users. Access to specified privileged commands are selectively restricted on specified client systems according to specified roles. A user is allowed to access a selected privileged command from a selected client system only if the user has an assigned role authorizing access to the selected privileged command and if access to the selected privileged command from the selected client system is authorized under the assigned role.
In a computer-implemented embodiment, the method may be implemented using a computer program product including computer usable program code embodied on a computer usable storage medium.
Embodiments of the present invention include a Role-Based Access Control (RBAC) system and method in which an additional, client-specific layer of access control may be imposed. One embodiment disclosed herein provides an LDAP (Lightweight Directory Access Protocol) subsystem configured with several different client systems (i.e. clients) in a centralized, heterogeneous environment. A centralized database contains privileged applications and commands. The privileged applications and commands are associated with different roles, so that a particular command or application may be accessed by one of the clients only by a user having an associated role authorizing the user to do so. The user may attempt to access a privileged command in the centralized database from any of the clients.
In a conventional RBAC system, a user would get the same privileges to perform system management functions in all LDAP client systems. However, the additional, client-specific layer of access control further limits which privileged applications and commands may be accessed according to both user and hostname of the client system. Thus, a given user may be restricted from accessing a privileged command from a specific client system, even if the given user has an assigned role otherwise authorizing the user to access the privileged command. The role-based access control and the additional client-specific limitations on the role-based access control disclosed herein are in addition to any conventional access restrictions that require a user to login using a username/password combination. However, logging in to a system is one of the mechanisms described below by which the system may determine what role(s) are assigned to the current user. That is, login credentials supplied by a user may be associated with the one or more roles assigned to that user.
The Roles database 50 contains a plurality of roles 14 each identified by a unique role identifier (ID). The Authorization database 34 has a listing of authorizations 16, each of which may also be identified by a unique identifier. The Roles database 50 associates each role 14 with a set of one or more of the authorizations 16. The roles may be mapped to associated authorizations and assigned to users as further discussed in relation to
The new PrivClient database 60 provided in the present embodiment of the invention adds another layer of access control to traditional RBAC functionality. The PrivClient database 60 additionally restricts access on a per-client basis according to defined relationships between users, privileged commands, and client systems (i.e. “clients”). In particular, the PrivClient database 60 is provided to selectively restrict users having certain roles from performing certain commands from certain client systems, even when a role assigned to a user would otherwise permit access to those commands by that user.
The PrivClient database 60 is particularly useful in a centralized environment wherein multiple client systems may access the centralized database 20. The PrivClient database 60 may not have any entries on a local host. Updates to the PrivClient database 60 on a centralized directory server may be made with an application which can be invoked from a client, as controlled and selectively restricted according to inputs relating to users, client information, and a privileged commands listing.
The security repository 20 may reside in the local file system. Alternatively, the security repository 20 may be managed remotely through a suitable application protocol in a centralized location, such as a centralized database or directory server. For example, Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying data of directory-based services implemented in Internet Protocol (IP) networks. LDAP can be used to efficiently create, modify, and access such directories and databases. User management is an important part of distributed computing environments. It provides the consistent authentication and authorization services necessary for universal access. For centralized security, an LDAP protocol is widely used for authentication and retrieving the user data on Directory server. Organizations typically store data in multiple, heterogeneous databases. In a heterogeneous environment, different types of LDAP Servers can be configured to maintain user data on servers. According to this model, each application on an LDAP client system will go through the LDAP client daemon to retrieve information from the LDAP server.
The mapping provided by the schematic diagram of
In one example, a set of applications or commands may be installed on a system as part of package bundle. A hypothetical role of “ArchiveManager” is created that includes privileges to access “backup” and “restore” commands included with the package bundle. A PrivClient database may place certain client-specific restrictions on the role “ArchiveManager” that are invoked according to the particular client a user is using when attempting to access the commands. For example, a user having the role ArchiveManager may be restricted from using the restore command on Client1, even though that command is generally authorized under the role of ArchiveManager. This client-specific restriction to role-based privileges is defined herein as client isolation.
In another example, two users may be assigned the same roles that each authorize access to a privileged command ABC, and yet one of those two users may still be prevented from accessing command ABC by virtue of client-specific restrictions. Although each user has the same assigned roles authorizing the same privileged commands, each user is accessing the command from a different client, one of which restricts the use of that command.
The security repository 20, as discussed above, includes the PrivCommand database 30, which defines relationships between one or more roles or authorizations 14 and the different privileged commands 32 authorized in association with each role 14. The PrivClient database defines, for each client, one or more of the roles restricted from accessing certain privileged commands 32 that would otherwise be authorized for access by a user under that role 14.
Client-specific access restrictions may be defined explicitly or implicitly. For example, a user having a particular role may be explicitly prevented from accessing a particular command from a selected client 92S when access to that particular command is otherwise authorized under the particular role. Alternatively, a user having a particular role may be implicitly restricted from accessing a particular application from the selected client 92S unless access to that particular application is specifically authorized. These client-specific restrictions may be defined, for example, according to one of the directory entries 62 of
In this example, the user 12 starts an LDAP session on the selected LDAP client 92S by connecting to the LDAP server 80. The LDAP server 80 includes an access control module 82 that the user 12 may interface with, and which is directly or indirectly in communication with the security repository 20. The user 12 may enter login credentials, wherein the login credentials identify the user 12. The login credentials (e.g. username and password combination) of the user 12 may be associated with the one or more roles assigned to that user 12, such that the roles may be determined after the user 12 successfully logs in. Having logged in, the user 12 may attempt to access a selected privileged command using the selected system 92S. The selected system 92S will contact the security repository to validate the user to perform the requested command according to the role(s) of the user and identity (e.g. host name) of the selected LDAP client system 92S.
A flowchart is included in
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, components and/or groups, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The terms “preferably,” “preferred,” “prefer,” “optionally,” “may,” and similar terms are used to indicate that an item, condition or step being referred to is an optional (not required) feature of the invention.
The corresponding structures, materials, acts, and equivalents of all means or steps plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but it is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
