This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern for current CERN information.
(2006/7/28) Meeting of M. Lamont (AB/OP) and S. Lueders (IT/CO)*
Mike and Stefan discussed the policies for having access to operate the accelerators
from the consoles in the CCC, from a satellite control room, or
from the office/home.
In the CCC, consoles in each quadrant display the information needed for the corresponding accelerator only. (Status and summary data is available in all quadrants.) For this purpose, generic accounts will be used which are valid in this quadrant and there only. However, these accounts will be also valid, in satellite control rooms of the same accelerator (e.g. ISOOP is valid in the PS quadrant of the CCC and the local ISOLDE control room) where appropriate.
In an LHC satellite control room, e.g. RF in point 4, a dedicated generic login will be provided e.g. lhc-rf. Restrictions applicable to the role designated to this user will be enforced.
The generic accounts do not provide universal write access on a given machine.
In order to change machine parameters (not necessarily critical settings),
the operator has to be authenticated by the corresponding
LSA application using his password, or perhaps, to ease typing, swiping his
CERN card through a card reader. The situation is the same for remote access,
where
the user can obtain the console applications after being authorized through
the corresponding terminal server.
The authorization of write access shall be handled through CMW. This will
allow for consistency for other methods to access the accelerator
equipment (AB/OP uses only LSA, while system experts might have their own,
dedicated tools).
Mike and Stefan have identified the following dependencies in order to obtain authorization:
* DEVICE: the device to be acted upon: not every user has write-access to every
device;
* MODE: the mode: depending on the accelerator mode, write-access might be
inhibited;
* PERMISSION: the Engineer-in-Charge (EiC): general write-access must be authorized
(esp. outside the CCC);
* LOCATION: the location: access rights are restricted when acting from home
or a remote control room. For access from home, critical and non-critical settings
can
be distinguished;
* USER: the user (of course).
It is up to AB/OP to produce the full matrix, i.e.
"
write_access"=auth(user,device) * auth(mode) * auth(EiC) * auth(location).
Every authorization will time-out after a predefined idle time. Methods are needed to put in place to avoid that a user remains logged-in without acting on the system himself. These methods must also log all authorization attempts, inform the Engineer-in-Charge of remote accesses to the system, and allow him to authorize/block these accesses. The CMW must ensure the integrity of changes, i.e. that parallel actions to equipment to not interfere. Also, it might be useful to integrate the MCS into the same scheme (but keeping its extra functionality).
Finally, all control rooms at CERN must be equipped with a physical access protection systems (e.g. CERN card readers).
c/o Stefan
please find here some more info on RBAC:
- the Role Based Access Control model which is described in various papers
here: http://csrc.nist.gov/rbac/
- the XACML standard
(http://www.oasis-open.org/specs/index.php#xacmlv2.0 ) and the SUN's
implementation in java (http://sunxacml.sourceforge.net/)
c/o Suzanne
I spend some time reading about Role Based Access Control (RBAC) on the web.
It turns out that it has been addressed in several standards and even has several
implementations some of which are in Java. One standard uses X.509 Attribute
Certificates, which are similar to X.509 Public Key Certificates. There are a
couple of implementation of this standard.
1) PERMIS is developed at University of Salford in the UK. It has a Java API
for managing roles and authorizing privileges, and is used in a 3-city project
in Europe.
http://sec.isi.salford.ac.uk/download/InternetComputingPaperv4.pdf
2) AKENTI is developed at Berkley Labs by Mary Thompson. This project is tightly
coupled with the Fusion project and SciDAC the same organization we have asked
for a grant for RBAC.
http://dsd.lbl.gov/Akenti/