An access control pattern based on qualifications to grand access to physic resources.

Cristea, Ana Daniela ; Prostean, Octavian ; Muschalik, Thomas 等

1. INTRODUCTION

A pattern can be described in many ways (Buschmann et al. 2007) that essentially help us to present it in an appropriate form and, in the same time, offer the required details to implement it. The QBAC pattern we present in this paper are using a basic solution of a new authorization concept. This concept grants to the employees (subjects) of a company the possibility to access the inputs of certain protected objects (machine set) according to the qualifications they dispose of. The subjects' authentication is realized through RFID (Radio Frequency Identification) cards, but it is possible to use any other authentication method instead of RFID.

The presented pattern is not included in the category "good practices pattern" (found in at least three real systems), but in the category "useful solutions pattern". This solution has been implemented as prototype, only one time, but can be used in other similar situations, too.

It's a great diversity of access control design patterns (Schumager et al., 2006) that offers diverse solutions to control the access to the computational or physical resources. The QBAC pattern is inspired from the patterns RBAC (Role Based Access Control Pattern), MBAC (Metadata Based Access Control Pattern), Authorization pattern, Session pattern and Access control to Physical Structures. From the Session Pattern (Fernandez & Guenther, 2006), we use its property to implement the "least privilege" principle. In this way, we restrict and control the rights of a subject and we offer him only as much authorization as he needs to access the inputs that correspond to his abilities. From the pattern Role Based Access Pattern (Ferraiolo et al., 2007), we use the principle through which the rights are not directly assigned to the subjects, but they are granted through qualifications. From the Metadata Based Access Pattern (Priebe et al., 2004), we use the idea that the protected object and the subjects may dispose of certain attributes. And, finally, from the Access Control to Physical Structures Pattern (Fernandez et al., 2007) we use the principle through which the subject can perform a physical login. Besides this combination, we added certain additional elements required to carry out the specific tasks that comply with our requirements:

1) The subjects are granted access right according to their qualifications.

2) Besides the session for realizing the "last privilege" principle, we added new functionalities at the protected objects level, for security reasons.

3) The communication with the protected objects is realized through PLCs (Programmable Logic Controller) that dispose of their own operation system and memory for saving the realized programs. In the same time, they offer the possibility to use additional modules: inputs, outputs, RFID interface, etc.

4) The protected objects and the qualifications dispose of certain attributes.

The authorization process can't be taken apart from the security field. The implementation of the proposed pattern needs security at all its levels, either for the communication among different component elements or for the implementation itself. Our future task is to choose the most optimal means to secure the communication among the multitude of component elements. This is the part where we have to specify the limitations.

2. REAL WORD EXAMPLE

Fig. 1 presents a login session of a subject to a protected object. The steps, from the moment when the subject wishes to login to the moment he is granted the access right, are:

* Step 1--The subject logs-in to one of the protected objects where he wishes to access certain inputs

* Step 2--The subject's ID (read from the RFID identification card) is sent to the PLC

* Step 3 & 4--The ID of the protected object and the subject ID are sent to the execution environment

* Step 5--After the authentication operation, the inputs that the subject may access, according to the qualification/ qualifications he disposes of, are determined through the pattern proposed hereunder

* Step 6--The data are sent to the OPC client. The access right is communicated codified in an integer, to protect the communication network against overloading (communication through a Web Service)

* Step 7--The data are sent to the PLC to create the command

* Step 8--The access right is decoded and the adequate commands come out

* Step 9--The command is communicated to the protected object

[FIGURE 1 OMITTED]

3. QUALIFICATION BASED ACCESS CONTROL

Intent: access control at certain inputs of a protected object, access based on qualifications that a subject disposes of.

Context: any set of protected objects where we need to control the access to certain inputs that these objects dispose of and where the subjects can be classified according to their abilities. The subjects can dispose of multiple qualifications for a certain protected object.

Problem: we need a procedure able to control the access to the protected object inputs and to enable us to deny the unauthorized access requests.

Forces: the entire system should be dynamic. It should be able to allow the addition of new protected objects and, in the same time, to allow the addition of new inputs to an existent protected object. To enhance the security, we put two initial conditions: a subject may access in a given moment only the inputs of one single protected object, and a protected object may be served in a given moment only by one single subject that disposes of the adequate qualifications. The principle of "least privilege" should be supported.

Solution: A basic model for Qualifications Based Access Control is presented in Fig. 2. The Subject class describes a subject which attempts to access some inputs of a protected object. The Protected_Object class represents the resource whose inputs should be protected. Because we may have a great number of protected objects, we organized the protected objects in groups. In this way, each group may have any number of protected objects and each protected object may have any number of inputs. The qualifications class represents the subject's qualifications. The subjects dispose of qualifications based on which they get the rights to access the inputs of a protected object. For example, the Subject x may dispose of the qualification "Installer" for a protected object y. According to this qualification, he is able to access the inputs assigned by the administrator to this qualification. In case of multiple qualifications, the eventual redundancies shall be eliminated.

The PLC class represents the Programmable Logic Controller and its subclasses represent its basic modules: Inputs, Outputs, RFID interface.

Each subject can interact with the system through a session (login session or logout session) from where he activates the qualifications. The sessions allow us to implement the principle of "least privilege". Each login session gets only the privileges required to access the inputs that correspond to the subject's abilities. The consequence of a logout session will be "zero qualifications", but we still have to perform a few operations, as follows:

* Registration of certain values (how long the subject has been logged-in to the respective object, his activity, etc.)

* Unblocking of a subject and a protected object.

[FIGURE 2 OMITTED]

To prevent a subject to login to more than one protected object during a login session, we block the respective subject. He is going to be unblocked only after a logout session. In the same time, we block the protected object to which the respective subject realized the login operation, to ensure that, in a given moment, the protected object can be used by only one single subject.

Consequence: because, through qualifications, the subjects are granted rights, it's no need to assign inputs to subjects. When new inputs for a protected object appear, this modification will be easily realized through a simple assignation of the respective inputs to the qualifications existent for the respective protected object. Automatically, all the subjects that dispose of the respective qualifications will be able to use to newly added inputs, no additional changes being required. The case when the respective inputs can't be assigned to the existent qualifications is an exception. In this case, one or more qualifications and the afferent courses shall be realized. These shall offer to the subjects the possibility to participate at school classes and to get the required qualifications that grant the right to access the new inputs.

The implementation of the "least privilege" is supported by sessions. When using qualifications, we can rapidly get information (through profiles), as follows: What qualifications are required for a subject to get a job? What profile matches to a certain job? Some of the execution environments are using qualifications in HR (Human Resources) for different internal processes. Their integration in the authorization concept, presented through QBAC, offers the advantage of using them naturally by the HR, and not only for the authorization process.

Known usages: The authorization concept presented through QBAC is currently in the testing phase at the company NWCON Technology Consulting GmbH--Germany.

4. CONCLUSIONS

In this paper, we have briefly presented an access control pattern named QBAC, which describes the fundament of a new authorization concept based on qualifications. This pattern can be extended by adding the required elements through which the subjects can attend school classes to get qualifications. This part requires role based access (RBAC) to offer to the subjects the possibility to book a place to one of the available courses, or to attend E-learning.

5. REFERENCES

Buschmann, F.; Henney, K. & Schmidt, D. (2007). Pattern-oriented Software Architecture 4: A pattern language for Distributed Computing, John Wiley & Sons, ISBN: 978-0470-05902-9, Great Britain

Fernandez, E. & Guenther, P. (2006). Patterns for session-based access control, available from: http://epub.uniregensburg.de/6426/ Accessed: 2009-03-10

Fernandez, E.; Ballesteros, J.; Desouza-Doucet, A. & Larrondo-Petrie, D. (2007). Security Patterns for Physical Access Control Systems, In: Data and applications security XXI,

Barker, k. & Ahn, G. (Eds), 259-274, Springer, ISBN: 9783540735335, Germany

Ferraiolo, F.; Kuhn, R. & Chandramouli. R. (2007). Role Based Access Control, Artech House, ISBN: 1-58053-3701, Boston

Priebe, T.; Fernandez, E; Mehlau, J. & Guenther, P. (2004). A Pattern system for access control, available from: http://www.secpat.de/fileadmin/user_upload/Publikationen/ PFMP04.pdf Accessed: 2009-01-19

Schumacher, M.; Fernandez, E. B.; Hybertson, D.; Buschmann, F. & Sommerland P. (2006). Security patterns integrating Secrity and Systems Engineering, John Wiley & Sons, ISBN: 0-470-85884-2, Great Britain