mit roles db csg, may 2004. previous presentations talk given by jim repa at educause conference...
TRANSCRIPT
MIT ROLES DB
CSG, May 2004
Previous Presentations
• Talk given by Jim Repa at EDUCAUSE Conference (Long Beach, CA, Oct. 29, 1999)– http://web.mit.edu/rolesdb/www/educause/educause.h
tml
• Talk given by Jim Repa to Common Solutions Group (Chicago, Sept. 18, 1998) – http://web.mit.edu/rolesdb/www/csg/csg.html
• Slides from Jim Repa's presentation of October 7, 1997 http://web.mit.edu/is/integration/presentations/roles_10071997/
A new perspective
• The MIT ROLES database is not a Roles Based Access Control (RBAC) system
• It is a meta-authorization management system
• An RBAC system could be built using the MIT ROLES system
Characteristics
• Applications and services do not query or update ROLES in real time.
• Data is extracted from the database and transformed into native, legacy, format for consumption
• We do not define a “role” that is then applied to a number of users
• Roles does provide for inheritance of authorizations
A Reminder
• An Authorization = PERSON + FUNCTION + QUALIFIER
• But the system also provides for starting and ending dates
• In the future, an Authorization = object + FUNCTION +QUALIFIER
The ROLES DB can be used to form
• Tables in other databases
• Access Control Lists
• LDAP groups
• LDAP attributes
• or populating configuration files such as .k5login
• It could even be used to help formulate policies within rule based systems.
Obstacles to usage
• Current access is via SQL*NET and Oracle
• No APIs to ease access from native code
• Benefits accrue to departmental administrators
• Benefits do not accrue to system developers, system integrators, most of central IS&T
Another obstacle
• No support for real-time or programmatic updates of qualifiers
• There are OKI OSIDs to address this issue but they have only been used against a test instance at this time
Systems using ROLES in production
• SAP financials • Data Warehouse • Human Resource systems • NIMBUS budget system • Graduate Admissions • MIT ID database • access to student information in data warehouse• Environmental Health and Safety • miscellaneous administration tasks
Notable systems not using ROLES at this time
• AFS PTS • Moira • web publication • OCW • central Active Directory • Help desk tools including Casetracker, RT, Stock Answers and
OLC • Stellar• any Library systems• COEUS• Student Information Systems• MIT Events Calendar • TechTime (Corporate Time) • access to buildings, parking lots, machine rooms, hazardous labs,
Some Statistics
• The number of authorization functions defined: 185
• The number of individual authorizations currently defined: 63997
• The number of authorizations that have defined boundary dates: 1159, of these 980 created by department of Dean for Student Life
• The number of AFS and NFS groups defined in Moira: 20955
• The number of other ACLs defined in Moira: 43215