parviz dousti it consulting engineer computing service carnegie mellon university

S3 Authorization Framework“Managing Access in Student Information System at

Carnegie Mellon University”

Parviz Dousti

IT Consulting EngineerComputing Service

Carnegie Mellon University

Oct. 1st 2012

BackgroundStudent Services Suite (S3)

A Brownfield development of SIS Completely new Authorization

Had a Discovery Project to answer:Have a Central Authorization System?Use an Open Source Solution?Buy a Product?Write our own?

RequirementsModularized :Complete Independence from the

ApplicationConfigurable: i.e. not hard-codedFlexible and Powerful: Capable of Handling Complex

User Stories in SISTime based authorizations

e.g. add/drop periodQuantity/Amount based authorization

e.g. refundingRelation based authorization.

Department Admins Access to Students of a Certain Program Advisor – Advisee relation. Original Creator of a Memo

Framework Design GoalsPowerful (RBAC, ABAC, filtering)Encapsulated, isolatedReusableSimpleScalable, fast

High Level Architecture

Authorization Vocabulary Permission:

User/Group can do Action on a Resource [based on Qualifier(s)] Examples:

AcademicAdmins can Update /cmu/s3/admin/course_grades [if course belongs to their department]

Entities(Abstract)

Qualifier

User

Resource

Action Permission

Group

Entities(Implemented)

Qualifier (33)

User

Resource:Action (199)

Permission

Group (61)

Qualifier Values

S3 Authz Building blocks

Developer Business OwnerResourceQualifier

UsersGroupsQualifier ValuesPermissions

ResourcesIdentifier of any “thing” to be protectedAdheres to standard form:

<cmu namespace>:<system>:<resource type>:<resource>=<action>

For example:

urn:mace:cmu:edu:andrew:s3:admin:screen:students:grades=view

More on QualifiersFixed Attribute and custom QualifiersMay use user’s inherit attributes or affiliationsMay use existing authorization tables in SISCan be combined in a Boolean expressionNot all are meaningful for a permission

Custom QualifiersImplemented as simple Java classes

public class IsEnrolled implements Qualifier { public boolean isSatisfied(String userId, Map ctx) {

return dao.isEnrolled(ctx.get(“studentId”));}

}

Fixed-Attribute Qualifierspublic class StudentDeptAR implements AttributeRetriever {

public AttributeSet fetchAttributes(Map ctx) {Student student = dao.fetchStudent(

ctx.get(“studentId”);AttributeSet as = new AttributeSet(); as.setAttribute1(student.getDepartment());return as;

}}

API// APIpublic interface AuthorizationEngine {

boolean isAuthorized(String userId, String resource, Map<String, Object> context);

}

// Example callcontext.put(“studentId”, “northrop”);

authzEngine.isAuthorized(“dl2b”, “screen:student:grades=view”, context);

Evaluating Design GoalsPowerful (RBAC, ABAC, filtering)

Yes! groups + qualifiersEncapsulated, isolated

Yes! authz engine + resource + custom qualifiersReusable

Yes! qualifiers applied to any resourceSimple

Yes! must only “tag” resources + write qualifiersScalable, fast

Yes! optimizations for caching and aggregating calls

Some UI Screenshots

Authorization Console

Thanks To:

Darleen LaBarbera- VP for Campus Affairs, Carnegie Mellon University

Ben Northrop - Distinguished Technical Consultant, Summa

Questions?