OpenDJ membership attribute for organizationalRole? - rbac

I'm planning to use OpenDJ as a backend ldap server to store RBAC. And I'm going to use objectclass=organizationalRole to store Roles (I'm choosing groupOfNames to store Organizational Groups, unnecessarily related with Roles).
As I can see there's an equivalent virtual attribute of isMemeberOf, with which I can easily find out which Organizational Group a person belongs to.
I'm wondering if there's an similar membership attribute for organizationalRole so I can quickly find out which Roles a person belongs to ?
Or any other better solution to do RBAC and Organizational Group in OpenDJ ?
Thanks

The isMemberOf virtual attribute plugin leverages OpenDJ group manager which currently supports the following static groups: groupOfNames, groupOfUniqueNames and groupOfEntries, and the dynamic groups: groupOfURLs. It does so, regardless of their places in the Directory Information Tree.
If you need to support another type of group (like organizationalRole), some code will be required.

Related

Alfresco ECM mandatory access control?

Does Alfresco ECM has component, that allows to work not through role-based access control, but using mandatory access control (MAC)?
No. Alfresco ECM has no out of the box support for any dynamic authority security concepts like RBAC, MAC which supports defining (business) rules on (business) objects. Alfresco calls roles what in real are permission bundles (group of permissions) to be attached to a content node.
To be fair: most general purpose dms systems don't support dynamic, configurable role concepts in the sense of RBAC and MAC but Alfresco has the low level support to implement this:
policies (similar to database triggers)
method level security (java voter methods which can be hooked in)
Take a look into Authorization And Access Control
We implemented this for special use cases (e.g. role based access for special document types or access rights based on associations to implement case mimik) but it may be a bigger job as expected to make this working transparent in Share and scalable over millions of documents.
Alfresco ecm provide s role based access controls.
There are some roles like as
Contributor
Collaborator
Editor
Consumer
According to these roles you can access contents in Alfresco repository.
You can find more on Alfresco Documentation

ASP.NET Membership on .NET 4.0 Multi-Tenant app. Default or Custom?

This is my first attempt, trying to integrate Membership on an existing shop already in production.
I'm not quite sure, based on my scenario, if I should use the build-in aspnet-providers or custom implementations of them in order to integrate membership.
Here's a few details:
I have a multi-tenant, single database, single schema web app based on subdomain.
The app is already in production and I will later want to link newly registered users with existing anonymous orders by email.
The development will continue after the membership integration, new features will be added, meaning new columns and linked tables for the users table.
This answer got my thinking of using the membership deafult Profile in order to extend the users table created by the aspnet providers, since I don't have users yet. Though its not clear to me how I would link Users with Orders and other tables/entities that might later be added when the app is going to be extended.
Maybe I could define my entities related to users as user-defined profile properties but they would not have associations on my database.
Another overhead I'm thinking of is how would I associate the users with the different tenants of the app. I would want users to be able to regiter in different tenants/subdomains with the same email.
How would you implement membership in this scenario?
This question is an aggregate of a few questions. I will try to answer them to he best of my knowledge
In case of managing users, i would like to suggest that you consider the following approach
Pre-define a list of basic user profile metadata that you will need in the application
Create an extensible approach like having custom fields for the user profile so that it can accommodate any data that may be required to capture in future
You should also be planning for a self-registration system in the application that will allow your user's to register themselves like the anonymuous ones that use the system with an email
Regarding associating the business entities, you will require to associate the entities with the tenant and not with the user. the level of application will be from the tenant and then it will flow down to the users.
Additionally, you should not have the user accessible business entities, when they are maintained in a form of package or so, it will be very easy to manage and use.
Share your thoughts on these approaches.
- Create a tenant identifier column [property] for each profile that identifies the base tenant to which the user belongs to
- create a table that manages the list of other tenant's that the user may be gaining access to at a later part

How to handle complex authorization in an ASP.NET MVC 4 / EF application?

The ability to add, update, and delete various entities in my application is often determined by the relationships defined between the various users involved. Here is an example:
A basic user or his supervisor can create tasks associated to the user, but only his supervisor can lock down the task so that the basic user will not longer be able to add/update/delete it. Until locked down, both individuals will be able to update the task.
What is the best approach to implement these kind of complex and advanced rules that deal with the relationship of users and the state of the entities (new, existing), as well as other things like maybe a user-defined status associated to the entity?
Thanks
What is the best approach to implement these kind of complex and advanced rules that deal with the relationship of users and the state of the entities (new, existing), as well as other things like maybe a user-defined status associated to the entity?
You want to use an authorization standard, namely XACML, the eXtensible Access Control Markup Language. XACML is:
a standard developed by OASIS, just like SAML is
a standard that focuses on fine-grained access control: access control that takes into account user information, resource information, state, and contextual information
a standard that implements the attribute-based access control (ABAC) model: the user information, resource data, and state can all be seen as attributes
a standard that uses policies and rules to structure the attributes and grant / deny access: XACML is policy-based
a standard that can be applied across multiple layers e.g. across the presntation tier, the data tier, the business tier of an MVC application
a standard that can be applied to multiple technologies and languages e.g. C# (MVC4 and more), Java, Python...
With XACML, you can easily implement relationships e.g.: an employee can approve a transaction if and only if the transaction amount < employee approval limit AND the transaction is not locked.
Where to go from here?
Check out NIST's page on ABAC.
Check out OASIS XACML's page and spec
Check out existing implementations (open-source and vendor such as the one I work for, Axiomatics.)
At a bank I worked for, we had a loan management system that allowed the entire bank hierarchy to see loans in their reporting structure. For instance, a Market exec could see the loan portfolio of all of his/her reports at once. Additionally, s/he had the ability to select from a list of all reports' (direct or indirect) names to view the portfolio of that employee.
It was complex, but we had to maintain an HR database of the reporting structure. Once we had that, we built user functions (could be done as stored procs, too, but user functions worked well in our LINQ to SQL backend) that allowed us to check whether user x supervises user y.
So, in your example, as long as you know who owns the task, and have access to a method that can be used to determine if the task owner reports to the currently-logged-in user, you should be able to easily enable/disable the "lock" button on the page.
The legwork lies in creating that reporting structure DB, and keeping it up to date!

In Symfony2, how to handle dynamic access / rights?

I'm trying to find the best way to handle a "complex" security / privacy system using Symfony2.
I read a lot of documentation about the ROLES and the ACLs but I'm looking for something different.
I need the rights to be calculated based on the properties of the objects.
In my case, I have a User object and multiple other objects (Project, Task, Label, and more...).
I need to check if a User can read or write any kind of object without storing the rights in the database (like the ACL system is doing). The rights should be "calculated" based on the relation between the User and a given object.
For example, the User(1) can write on the Task(2) because he is a member of the Project(3) and the Task(2) is in the Project(3).
The Roles of the security service can't handle that. The ACL could handle it but I don't want to store the rights in my database because I know that they are going to change a lot during the life of the product.
Is there a known good practice for that kind of needs or should I write my own system?
Thanks.
"that they are going to change a lot during the life of the product" -> IMO, storing in database is the best, and ACLs are a good way to do that.
In your example above, ACLs would be great to manage rights between User and Projects, and rights on Tasks are depending on this Project Rights.
These rights would be accessible in your controllers and you views with respectively isGranted() and is_granted() if you implement your own aclVoter: http://symfony.com/doc/current/cookbook/security/voters.html

Storing a staff hierarchy in active directory e.g. staff > manager relationships

Is it possible to store user (and therefore use in e.g. asp.net) a staff hierarchy in active directory e.g. staff > manager relationships.
My active directory install is relatively flexible, so I could add additional information.
It's certainly possible to extend the AD schema to support what you want to do, but I would seriously consider why you want to do it, and how many changes you might make down the road (not to mention how unhappy your system administrator might be after these changes).
The presence of AD is not a prerequisite to using built-in Asp.net authentication methods (although it makes integrated authentication much easier). If this kind of data is application specific, I would recommend looking into maintaining the data in an application-specific database. In doing so, you could pull the current user's FQDN from the HttpContext.Current.User, and key on the Name property of the associated Identity. For example:
HttpContext.Current.User.Identity.Name
From that point, you simply create a UserProfile table with associated organizational structures (i.e. a column for ReportsTo that acts as a reference to another UserProfile.

Resources