Permis De Construire
   HOME

TheInfoList



OR:

PERMIS (PrivilEge and Role Management Infrastructure Standards) is a sophisticated policy-based authorization system that implements an enhanced version of the U.S. National Institute of Standards and Technology (
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
) standard Role-Based Access Control (
RBAC In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ( ...
) model. PERMIS supports the distributed assignment of both roles and attributes to users by multiple distributed attribute authorities, unlike the NIST model which assumes the centralised assignment of roles to users. PERMIS provides a cryptographically secure privilege management infrastructure ( PMI) using
public key encryption Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
technologies and
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure ...
Attribute certificate In computer security, an attribute certificate, or authorization certificate (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of authorization, A ...
s to maintain users' attributes. PERMIS does not provide any authentication mechanism, but leaves it up to the application to determine what to use. PERMIS's strength comes from its ability to be integrated into virtually any application and any authentication scheme like
Shibboleth (Internet2) Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often un ...
, Kerberos, username/passwords, Grid proxy certificates and Public Key Infrastructure (
PKI PKI may refer to: * Partai Komunis Indonesia, the Communist Party of Indonesia * Peter Kiewit Institute The Peter Kiewit Institute is a facility in Omaha, Nebraska, United States which houses academic programs from the University of Nebraska†...
). As a standard RBAC system, PERMIS's main entities are * an authorisation policy, * a set of users, * a set of administrators (attribute authorities) who assign roles/attributes to users, * a set of resources that are to be protected, * a set of actions on resources, * a set of access control rules, * and optional obligations and constraints. The PERMIS policy is eXtensible Markup Language (
XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. T ...
)-based and has rules for user-role assignments and role-privilege assignments, the latter containing optional obligations that are returned to the application when a user is granted access to a resource. A PERMIS policy can be stored as either a simple text XML file, or as an attribute within a signed X.509 attribute certificate to provide integrity protection and tampering detection. User roles and attributes may be held in secure signed X.509 attributes certificates, and stored in Lightweight Directory Access Protocol ( LDAP) directories or Web-based Distributed Authoring and Versioning (
WebDAV WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to collaboratively author contents ''directly'' in an HTTP web server by providing facilities for concu ...
) repositories, or they may be created on demand as Security Assertion Markup Language (
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
) attribute assertions. The PERMIS authorisation engine comprises two components: a Credential Validation Service that validates users' roles according to the user-role assignment rules, and the Policy Decision Point (PDP) that evaluates users' access requests according to the role-permission assignment rules (or access control rules). Access to a resource depends upon the roles/attributes assigned to the user, and the role-permission assignments, which can contain constraints based on the user's access request (e.g. "print less than 10 pages") and the environment (e.g. time of day). PERMIS can work in either push mode (the user attribute assignments are sent to PERMIS by the application) or in pull mode (PERMIS fetches the attribute assignments itself from LDAP/WebDAV repositories or SAML attribute authorities). PERMIS is unique with its support for cryptographically protecting the user attributes/roles and the policy, which guarantees their integrity and protects them from being tampered with. New features are continually being added to it, like a standard eXtensible Access Control Markup Language (
XACML XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...
) interface which allows PERMIS and XACML PDPs to be seamlessly interchanged, the ability to accept
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
attribute assertions, support for dynamic delegation of authority and separation of duty policies, and the recent addition of a controlled natural language interface (in English) for writing simple PERMIS policies.


See also

*
Authorisation Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences) is the function of specifying access rights/privileges to resources, which is related to general inform ...
* Identity management * Java Authentication and Authorization Service (JAAS) *
Lightweight Directory Access Protocol The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...
(LDAP) *
RBAC In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ( ...
(Role-Based Access Control) *
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure ...
*
Shibboleth A shibboleth (; hbo, , Å¡Ä«bbÅleṯ) is any custom or tradition, usually a choice of phrasing or even a single word, that distinguishes one group of people from another. Shibboleths have been used throughout history in many societies as passwor ...
*
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
(Security Assertion Markup Language) * Kerberos *
XACML XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...
(eXtensible Access Control Markup Language) *
PKI PKI may refer to: * Partai Komunis Indonesia, the Communist Party of Indonesia * Peter Kiewit Institute The Peter Kiewit Institute is a facility in Omaha, Nebraska, United States which houses academic programs from the University of Nebraska†...
(Public Key Infrastructure)


References

{{reflist


External links


PERMIS Home PageShibboleth ProjectModular PERMIS projectNIST RBACPERMIS future development plansHardened PERMIS
Computer security software