Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSP Fedora training days 22-23 January 2009 Richard Green

Published byGladys Ward Modified over 8 years ago

Similar presentations

Presentation on theme: "RSP Fedora training days 22-23 January 2009 Richard Green"— Presentation transcript:

1 RSP Fedora training days 22-23 January 2009 Richard Green r.green@hull.ac.uk

2 RSP Fedora Training Days 22-23 January 2009  Fedora creates an admin user as part of the installation process  Further users can be dealt with through:  the Tomcat users file  linking to a local LDAP  etc  security systems can be ‘chained’  Users are usually assigned a ‘role’ which can be used to determine their general permissions

3 RSP Fedora Training Days 22-23 January 2009  Authorisation in Fedora is managed by the SUN XACML engine  Security policies can be tied to users, roles, IP addresses; objects, datastreams, methods  Only administrators can use API-M  API-M can only be called from 192.168.0.1  Users in the role ‘student’ cannot have access to datastreams called “fullsizeImage”  etc 3

4 RSP Fedora Training Days 22-23 January 2009  Fedora provides dozens of ‘hooks’ to which security can be attached:  subject (loginID)  actions (API-M, purgeObject, riFindObjects…)  resources (object:owner, datastream:id…)  environment (clientIpAddress, currentDate…)  Hugely flexible  but can get complicated when policies interact  XACML is not very nice to write 4

5 RSP Fedora Training Days 22-23 January 2009  The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience.  The key point is that students can access disseminations of the object, but not the raw datastreams. This is might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content.  Given that an object is of a certain content model (in this case UVA_STD_IMAGE), this policy will DENY datastream access to users who do NOT have the ROLE of 'administrator' or 'professor.' It will also DENY dissemination access to to users who do NOT have the ROLE of 'student,' 'administrator,' or 'professor.' 5

6 RSP Fedora Training Days 22-23 January 2009 6

7  Default set of policies available ‘out of the box’  Good set of example policies provided  heavily commented  to learn from  to adapt 7

8 RSP Fedora Training Days 22-23 January 2009  Given that writing XACML is not for the faint- hearted, other approaches have been produced by Fedora developers to hide it from even admin users  For instance, Muradora (which uses not quite the native Fedora security system but the principle holds): 8

9 RSP Fedora Training Days 22-23 January 2009  Each collection (or object) has a security icon (authorisation permitting) 9

10 RSP Fedora Training Days 22-23 January 2009  Users and roles listed  Check box security  Permissions set here are inherited (or overriden) at lower levels 10

11 RSP Fedora Training Days 22-23 January 2009 11 Thesis object showing security options against individual datastreams. Could allow thesis to anyone (inherited) but audio clips only to… (Copyright?)

12 RSP Fedora Training Days 22-23 January 2009  ‘Advanced’ security allows admin to set repository-wide permissions 12

13 RSP Fedora Training Days 22-23 January 2009  Deny datastreams of type ‘audio/mpeg’ to students 13

14 RSP Fedora Training Days 22-23 January 2009  Fedora has very flexible access controls  Authorisation based around XACML 14

Download ppt "RSP Fedora training days 22-23 January 2009 Richard Green"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Vital Implementation Update Vital Implementation Update 11 th January 2006 Paul Bevan – Glen Robson –

Vital Implementation Update Vital Implementation Update 11 th January 2006 Paul Bevan – Glen Robson –
II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
Grouper Training End Users Lite UI – Permissions – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.

Grouper Training End Users Lite UI – Permissions – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
An Investigation into Filtering of Search Results by Access Constraints Gert Schmeltz Pedersen and Christian Tønsberg Technical Information Technical.

An Investigation into Filtering of Search Results by Access Constraints Gert Schmeltz Pedersen and Christian Tønsberg Technical Information Technical.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
Network Printing. Printer sharing Saves money by only needing one printer Increases efficiency of managing resources.

Network Printing. Printer sharing Saves money by only needing one printer Increases efficiency of managing resources.
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Request to Vet A Workflow for Providing Access to Material of Undetermined Cultural Sensitivity Status 1 Scott Ziegler American Philosophical Society June.

Request to Vet A Workflow for Providing Access to Material of Undetermined Cultural Sensitivity Status 1 Scott Ziegler American Philosophical Society June.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release 4.1.1 Entities.

© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Similar presentations

Ads by Google