16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
26/3/2015 META ACCESS MANAGEMENT SYSTEM Backing Australia’s Ability DEST founded ARIIC to guide: Australian Digital Thesis (ADT) Australian Digital Thesis (ADT) Australian Partnership for Sustainable Repositories (APSR) Australian Partnership for Sustainable Repositories (APSR) Australian Research Repositories Online to the World (ARROW) Australian Research Repositories Online to the World (ARROW) Meta Access Management System (MAMS) Meta Access Management System (MAMS) Financed by DEST till the end of 2006 ($4.2 million) Financed by DEST till the end of 2006 ($4.2 million) FRODO (Federated Repositories of Digital Objects)
36/3/2015 META ACCESS MANAGEMENT SYSTEM Single Sign-On Digital Identity Mgmt Federated Identity Mgmt Access Control Provisioning Federated search Legacy plug-ins
46/3/2015 META ACCESS MANAGEMENT SYSTEM How open is your IR really? My institutional repository is open: Submissions use separate client Submissions use separate client For internal members, but external people have to wait some time For internal members, but external people have to wait some time And staff can self submit And staff can self submit But only peers can rank & annotate But only peers can rank & annotate Except for some special content (e.g. data/source files) – my faculty only Except for some special content (e.g. data/source files) – my faculty only Except for reviewing prepublications, which are only for some colleagues Except for reviewing prepublications, which are only for some colleagues
56/3/2015 META ACCESS MANAGEMENT SYSTEM What Access Control do you need? None None IP-based is sufficient IP-based is sufficient With Authentication With Authentication Access Control Lists: Access Control Lists: If you are on the list, you are in If you are on the list, you are in Role-Based Access Control: Role-Based Access Control: Your role gives you certain rights Your role gives you certain rights Attribute Based Access Control: Attribute Based Access Control: Your attributes give you certain rights Your attributes give you certain rights
66/3/2015 META ACCESS MANAGEMENT SYSTEM Which attributes does the IR need? When I visit an IR, how do I present myself? Reference # Staff at Macquarie Uni Erik Vullings ICT Staff at Macquarie Erik Vullings ICT Staff at Macquarie +61-(0) MQ
76/3/2015 META ACCESS MANAGEMENT SYSTEM Different cards open different doors – Services & Service Level – Reference # Staff at Macquarie Uni Enables access to some of the IR Erik Vullings ICT Staff at Macquarie Enables access to all of the IR MQ Erik Vullings ICT Staff at Macquarie +61-(0) Allows me to submit content MQ
86/3/2015 META ACCESS MANAGEMENT SYSTEM How do I get your attributes? Solution: Use local LDAP Solution: Use local LDAP Problem: What about external users? Problem: What about external users? Solution: Create guest account Solution: Create guest account Problem: Users have too many passwords Problem: Users have too many passwords Solution: Use MAMS Testbed Federation based on Shibboleth Solution: Use MAMS Testbed Federation based on Shibboleth Problem: Huh??? Problem: Huh???
96/3/2015 META ACCESS MANAGEMENT SYSTEM Manages trust between parties. Auditing? Federation Components Identity Provider Service Provider Manages trust between parties. Auditing Provides services to internal and external users via the web. Want to focus on core business & avoid risks of managing users’ confidential info. Attribute Authority manages and asserts (to trusted SPs) user’s attributes securely. Have privacy concerns. Want transparent but secure SSO.
106/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User wants to access IR
116/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository Shibboleth Apache filter intercepts
126/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected and selects IdP: Where Are You From
136/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected to IdP and logs in
146/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository IdP uses Attribute Release Policy for SAML assertion
156/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected to IR with SAML handle
166/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository My ID Card IR uses SAML handle to retrieve user attributes
176/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository Shibboleth validates assertion and maps user to IR role
186/3/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth and SSO The previous example illustrates INTER- institutional SSO The previous example illustrates INTER- institutional SSO However, it can also be used for INTRA- Institutional SSO However, it can also be used for INTRA- Institutional SSO Not only for IR, but potentially any application (like E-Learning systems or dataset repositories) Not only for IR, but potentially any application (like E-Learning systems or dataset repositories)
196/3/2015 META ACCESS MANAGEMENT SYSTEM What about Access Control? – One Language to Rule Them All – eXtended Access Control Markup Language (XACML) eXtended Access Control Markup Language (XACML) IR 1 Fedora IR 2 DSpace Institutional XACML Policy Store Federation XACML Policy Store Enable Shibboleth Access
206/3/2015 META ACCESS MANAGEMENT SYSTEM XACML in Action Request Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Access Point (PAP) Policy Information Point (PIP) JOE wants to EDIT his PREPRINT Retrieve Policies Retrieve Information Create XACML request Respond with Permit/deny/obligation
216/3/2015 META ACCESS MANAGEMENT SYSTEM XACML and Rights Expression XACML for fine-grained access control XACML for fine-grained access control Digital Rights Expression Languages (DRELs) manage a wide range of digital rights Digital Rights Expression Languages (DRELs) manage a wide range of digital rights MAMS view: MAMS view: Leave the legal bit to the lawyers Leave the legal bit to the lawyers Just focus on access control Just focus on access control
226/3/2015 META ACCESS MANAGEMENT SYSTEM Testing XACML with Fedora
236/3/2015 META ACCESS MANAGEMENT SYSTEM MAMS activities in Authorization Existing work to date Existing work to date Web-based XACML demo Web-based XACML demo Authenticated Federated Search (XACML) Authenticated Federated Search (XACML) Testing XACML with Fedora Testing XACML with Fedora New work for 2006 New work for 2006 Defining key XACML policies for IR Defining key XACML policies for IR Further develop MAMS Fedora+XACML IR Further develop MAMS Fedora+XACML IR Visual XACML editor (XML-free) Visual XACML editor (XML-free)
246/3/2015 META ACCESS MANAGEMENT SYSTEM What about my Privacy?
256/3/2015 META ACCESS MANAGEMENT SYSTEM I accept the copyrights Access Control with XACML JOE wants to EDIT the POLICY PLAN SubjectActionResource Target Policy Set PolicyObligation Plan Rule Comb. Alg. Policy Comb. Alg. Staff memberPermit Show copyrights If any
266/3/2015 META ACCESS MANAGEMENT SYSTEM Need for a common language for Subjects, Actions & Resources Subject attributes: Subject attributes: eduPerson(Scoped)Affiliation eduPerson(Scoped)Affiliation mail mail eduPersonPrincipalName eduPersonPrincipalName Group/community Group/community Actions: Actions: CRUD: Create, Read, Update, Delete CRUD: Create, Read, Update, Delete Resource attributes, e.g.: Resource attributes, e.g.: Type, Course, Time, Date, Collections Type, Course, Time, Date, Collections Readers, Editors, Managers (groups or persons) Readers, Editors, Managers (groups or persons)
276/3/2015 META ACCESS MANAGEMENT SYSTEM policies XACML Editor w/o XML XACML Editor GUI Log Changes Load Policies Publish Policies IR-GUI Validate policies CRUD policies InputOutput Build policies Test Cases Load Tests
286/3/2015 META ACCESS MANAGEMENT SYSTEM XACML Editor w/o XML File Edit Options View Help Subjects Actions Resources Environment Thesis Course Paper T C P Create Read Update Delete Time Calendar Policies S A R P T Description: RBAC for staff Target: Staff subject, any action/resource Staff Policy Add rule S A R Read T C P T P Create
296/3/2015 META ACCESS MANAGEMENT SYSTEM XACML Editor w/o XML File Edit Options View Help Subjects Actions Resources Environment Thesis Course Paper T C P Create Read Update Delete Time Calendar Add rule Read T C P T P Create Rules T C P CRUD