Any best practice to apply role based access control?

Hi,
I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
Can you please share the best practices or any built-in feature in JSF to achieve my goal?
Regards,
Faysi

Hi,
The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
java package.
Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
This is according to Java EE 6 tutorial, section VII Security, page 471.
A group, role or user is created with an Identity Management application or by a custom application.
Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
I've been in situations where end users very strict about the functionality of the application.
If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
Each of these actions should have suggester, approver and implementor.
Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

Similar Messages

  • Role Based Access Control in Java

    Hi,
    we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
    I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
    Does any1 have any comments on this? Thnx
    Dave

    Hi David,
    Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
    My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
    If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
    We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
    Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
    If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
    If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
    Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
    One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
    May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
    Rajesh

  • To run OHS at port 80 using solaris role based access control

    Hi.
    I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
    On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
    /etc/user_attr:
    oracle::::type=normal;defaultpriv=basic,net_privaddr
    Change OHS httpd.conf Listen from port 8888 to port 80.
    However, opmnctl startproc process-type=OHS
    failed as below with nothing showing in the diag logs:
    opmnctl startproc: starting opmn managed processes...
    ================================================================================
    opmn id=truffle:6701
    0 of 1 processes started.
    ias-instance id=asinst_1
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ias-component/process-type/process-set:
    ohs1/OHS/OHS/
    Error
    --> Process (index=1,uid=187636255,pid=25563)
    failed to start a managed process after the maximum retry limit
    Thx,
    Ken

    Just to add my two cents here.
    The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
    # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
    Restart the opmnctl daemond.
    After that OHS/Apache user can bind to lower TCP ports.
    Regards.
    Edited by: Tuelho on Oct 9, 2012 6:05 AM

  • ADF UIX Role Based Access Control Implementation

    Hi,
    Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
    The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
    Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
    Thanks a lot.
    Sathya

    Brenden,
    I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
    If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
    1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
    The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
    2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
    The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
    1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
    Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
    Two links that you might be interested in to read are:
    http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
    http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
    Frank

  • Role Based Access Control and FIM

    Hi,
    Would these statements about RBAC and FIM (not BHOLD) be true:
    RBAC in FIM Sync is essentially governed by the built-in FIM Groups (e.g. FIMSyncAdmins, etc)
    RBAC in FIM Portal is essentially governed by FIM Portal Sets & MPRs
    Thanks,
    SK
    PS. not looking at BHOLD above, just FIM

    This can be true in a narrow sense. If we are just thinking of access to FIM and not on the managed organizational resources.
    FIM Synch:-
    Through FIM Synch groups, we are just controlling the access to FIM Synch service. We are not separating access based on roles(say organizational role).
    For FIM Portal, again it can be true if we are thinking of access to FIM Portal only and not the managed organizational resources.
    Thanks,
    Mann

  • RBAC (Roles Based Access Control) "Broken" in WCS

    In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
    role0=SuperUsers
    task0=Users and Groups
    task46=Auto Provisioning
    task47=Voice Audit Report
    Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
    The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
    Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

    Hi,
    I believe all your questions are answered in "System Administrator's Guide - Security" manual.
    Applications Releases 11i and 12
    http://www.oracle.com/technology/documentation/applications.html
    You may also review this document.
    Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
    https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
    Regards,
    Hussein

  • Role based access controle

    We tried to apply new roles definition to AP module.
    For example, we defined a role which allowed to see the suppliers created by the owner.
    It seems that the role definition have any effects on AP module.
    We successfuly created roles undo FND and CES.
    1- Is it true to say that the role feature does not cover all EBS module?
    2- On which modules the role have an effect?
    Regards
    JC

    I do not believe Oracle publishes which modules are (or are not) RBAC aware - for the modules that your are using or are interested in, you will have to read thru the Implementation and User Guides to see if the modules use RBAC.
    HTH
    Srini

  • Prime Collaboration Role-based Access Control Issue

    Hello Support Community,
    we are using the Cisco Prime Collaboration Provisioning and would like to configure a user that would act as an admin for one of our domains.
    This user would be able to add, remove, change, etc. all the objects that are located in one remote office. So he should not be able to see the users, phones and so on, from all other offices.
    The issue is that we can not select the domain that should be assigned to him. When we select a user that should be configured as an administrator for the office, go to Manage Authorization Roles, under Roles for Domain there is only "Apply to all domains". We cant select one of the two domains that are currently configured.
    I've tried with different browsers, tried checking the boxes to see if one of those would trigger the change and let us select the domain but so far I had no luck.
    The cluster consists of 7 CUCMs on version 9.1.2.12900-11 (and 2x CUC, 2x IM&P, etc.) and the Prime Collaboration Provisioning is on version 10.5.1.320 (License Type Advanced).
    Thanks in advance!
    Ivan

    Hello Anthony,
    first of all, thank you for taking the time to answer and analyze!
    Your questions:
    "One sure way to check this is to look on the banner and there should be a check mark next to the word Advanced" -  in the top right Corner of the banner I can see a green check mark next to Advanced 
    "The Delegation feature should be set to 2, and not 0 or 1." - the Delegation Feature has the following Status - "Available : 1 | Used : 0 | Expiry : permanent". Does the value has to be "2" under Available ? Because in the Moment we are not using any (Used : 0).
    "I will assume the two Domain groups are already configured and have some users in them." - that is correct. Both Domains are already configured and we have multiple users in both of them. Domains are configured with appropriate Call Processors, Message Processors, LDAP Sync, Service Areas, User Roles and Service Templates.
    I have tested what you proposed in the last part. Selected one of the Users through Deploy > User Provisioning. Opened his User Records page (where we can see all the Services, etc.) > Manage Authorization Rules. In the Roles for Domain field it just says "Apply to all domains", I does not Display any other value when I click on the Dropdown button.
    Kind regards,
    Ivan

  • SCCM 2012 R2 Role Based Access Control Weird Issue

    Thank you in advance. I have 3 security groups added for remote control operators role. Users within all three groups are available and imported in to the SCCM users collection and verified. users in 1 group works fine without any issue. But users in the
    other 2 groups having trouble where when they try to connect SCCM console using their computers, it fails. Even i tried adding the user directly assigning full administrator role. But still it fails.
    It is weird because it kind of loads the SCCM console administration tab and suddenly shows the error message. the error is a generic error saying verify below things. Any advice would be appreciated.

    To clarify, you have three Active Directory groups, all of which are assigned the remote control operators role in ConfigMgr?
    If they are only remote control operators, what are they using in the administration workspace?
    What does the SmsAdminUI.log show on one of the PCs? Based on what you describe, it is unclear whether this is an RBAC issue or not.
    Jeff

  • Configuring ACS 5.4 to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 via TACACS+

    There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required.
    https://supportforums.cisco.com/docs/DOC-14273
    In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS.

    I think the command set does not matter.
    Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.
    I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.
    What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?
    Rating useful replies is more useful than saying "Thank you"

  • Role based access control

    Hello ,
     Is there a RBAC in Windows 2012 R2?

    My client has a specific requirement like 
    Schema Management
    Management of the Schema
    Forest Configuration Operator
    Management of Functional Levels, domains, trusts, Operations Master roles
    Domain Operator
    DC Installation, Management of FSMO, OU
    Domain Controller Administrator
    Installing Software, Service Packs and hotfixes, Managing Sysvol, Starting up and stopping DCs.
    Security Policy Management
    Management of GPOs
    Service Admin Management
    Management of Service Management Role Membership
    DNS Management
    Installing DNS on DCs, configuring root hints, configuring and maintaining zones
    Replication Management
    Configuration of Replication Topology
    Replication Monitoring
    Monitoring of Replication Status and Performance
    Backup Operator
    Backup and Restore AD
    I wonder if there is such a customization possible in win 2012 !

  • Role Based Access problem in forms

    This would be a long reading.
    I'm having a problem with forms Role Based Access.
    We have two databases, one in London and one in Zurich. We have installed
    application server and oracle forms on London database. We have implemented
    Role Based Access to forms. For this we have created a database role (say ZUR_USER)
    in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
    is also created in both databases with a 'grant select to public'.
    Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
    assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
    to various users.
    Now a Zurich user is trying to login to Zurich database using the URL for forms installation
    in London server. He can login successfully and can see the menu heading in the main screen but
    when he clicks the menu he doesn't see the underlying forms list.
    When we try the same user id and database from London (using the same URL) we see all the forms.
    Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
    that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
    login from London.

    I'm using the Forms 10g
    and yes the only difference is between login from Zurich and London.
    Problem definitely is due to Role Based Access setup.
    The user in Zurich can see the Menu but not the items under that menu.
    I have set the security set up at both menu and menu item(i.e. form name) level.

  • Any Best Practices for Guest Access?

    Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
    I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
    My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

    ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

  • Role Based Access in Struts

    Hi,
    I wanted to know how to include Role Based Access in my Struts application.
    Does Struts provide any mechanism to accomplish it?
    If yes then,how can it be done
    Thanks
    kurt

    Hi Velu,
    Yes, this is exactly what Access Manager (now called OpenSSO, btw) can do.
    In your first use case, you would simply create two policies. The first one would allow only users in the admin group access to the admin application (e.g. https://someserver.example.com/admin/*). The second would allow users in the employee group access to the remaining two applications (e.g. https://someserver.example.com/app1/*, https://someotherserver.example.com/app2/*).
    In your second use case, the policies would be similar - first policy would allow users in the admin group to access https://someserver.example.com/app3/*, second policy would allow users in the employee group to access only https://someserver.example.com/app3/employees/*.
    Cheers,
    Pat

  • Portal and role based access

    We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
    We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
    -thanks

    1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
    2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
    3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
    4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
    I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
    You can have a darn strong access control using this mechanism.
    hope that helps!
    AMN

Maybe you are looking for

  • Stuck In Boot Camp With Broken Keyboard PLEASE HELP

    Hi there, Just recently, I decided I wanted to install Windows 7 on my iMac for gaming. Now, this has worked before, so I expected it to go without a hitch. Now I sit here (on my Dad's PC), waiting for an answer. I am stuck on the black screen saying

  • ANY UPDATE ON PDF READER FOR CURVE 2 AND MORE ON BB PROTECT

    Please, I need an update if free pdf reader is now available for curve 2, OS V5. Please, how strong is Blackberry protect application on device installed  when intruders try to wide/format device and can I still have access to the device if number is

  • Which is better Ipod Touch 5g or Ipad Air

    I want an Ipod Touch 5g but my dad wants me to buy a Ipad because the screen is bigger and it has more benifits. Please tell me some benifets about the Ipod Touch 5g.

  • Cannot create PDFs

    For years I have been using CS3 on my 64 bit Windows 7 Service Pack 1 computer.  I can no longer create PDFs and any thumbnailes I have only show up as the Adobe symbol on my desktop.  I says "windows cannot print due to a problem with the current pr

  • Form Printing :In VIB4 control the Tree .

    Dear All, When printing billing document in VIB4,there will be tree formed in the left side of the Screen. Can we control the tree contents based on the Sales Organisation in the Customisation settings. Regards, Seshadri G