1 / 33

April 1 , 200 8, Dresden

Design and implementation of a distributed role concept for access control In Traceability Networks. Student: Weixun Li Tutor: Dipl.-Medien-Inf. Eberhard Grummt Responsible Professor: Prof. Dr. rer. nat. habil. Dr. h. c. Alexander Schill. April 1 , 200 8, Dresden.

saima
Download Presentation

April 1 , 200 8, Dresden

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design and implementation of a distributed role concept for access control In Traceability Networks Student: Weixun Li Tutor: Dipl.-Medien-Inf. Eberhard Grummt Responsible Professor: Prof. Dr. rer. nat. habil. Dr. h. c. Alexander Schill April1, 2008, Dresden

  2. Overview • 1. Motivation and Introduction • 2. Requirement Analysis • 3. Concepts • 4. Comparison and Evaluation • 5. Conclusion • 6. References

  3. Motivation & Introduction

  4. Motivation • Figure. A RFID tag • The information read from RFID tag can be easily transferred into data record by EPCIS. • RFID tag is a tag that carries information about item. It can be tagged on a item and read at certain point. • The use of RFID tags enables many innovative implementation. E.g. Counterfeit, Callback

  5. The Routing Process • Figure. Theseos infrastructure[1]

  6. Requirement Analysis

  7. Security issues • Security issues in Traceability Networks: • Protections on Companies’ IP and physical addresses. • Strict and precise controls for a sharing of companies’ item information. E.g., Who can get what kind of information from whom.

  8. Extended Role-based Access control • Extended Role-based Access control (ERBAC) • A extension set of RBAC to deal with Distributed Environment’s requirement. • A concept integrates many up-to-date technologies: RBAC, EPCIS, X.509, Web Service, etc. • A complementary solution to existing traceability solutions.

  9. An Use Case • Figure. Infrastructure of ERBAC

  10. Basics • Data schemas related to access control in RSS: • roleGrant(lid varchar(50) not null, EPCClass varchar(50) not null, • comName varchar(50) not null, roleID char(12), roleName varchar(20), • expireDate date, primary key(address, EPCClass)) • company(lid varchar(50) not null primary key, comName varchar(50) • not null, address varchar(100)) • Data schemas related to access control in Single EPCIS server: event(eid char(12) not null, lid varchar(50) not null, ts timestamp not • null, primary key (eid, lid, ts)) • location(lid varchar(50) not null primary key, address varchar(100) • sProp(eid char(12) not null primary key, color varchar(20),minTemperature Integer, maxTemperature Integer) • contains(eid char(12) not null, contained eid char(12) not null, ts • timestamp not null, primary key (eid, contained eid, ts)) receivedFrom(eid char(12) not null, dbid varchar(50), ts timestamp • not null, primary key(eid, ts)) • sentTo(eid char(12) not null, dbid varchar(50), ts timestamp not null, • primary key(eid, ts))

  11. Basics • Data schemas related to access control in Single EPCIS server (Cont.): roleGrant(lid varchar(50) not null, EPCClass varchar(50) not null, • comName varchar(50) not null, roleID char(12), roleName varchar(20), • expireDate date, primary key(address, EPCClass)) • company(lid varchar(50) not null primary key, comName varchar(50) • not null, address varchar(100)) • rolePermission(roleID char(12) not null, permissionID char(12) not null, primary key(roleID, permissionID))

  12. Basics • Figure. Role Hierarchy in single EPCIS server

  13. An Use Case • Figure. Infrastructure of ERBAC

  14. Concepts

  15. Role types • Roles in the traceability network are classified into two types • General Roles: • General Roles are defined by Supply Chain (SC) participants’ properties in the view of the whole SC • E.g., Manufacturer, Distributor, Wholesaler, Retailer. • Perspective Roles: • Perspective Roles are defined by directed connected partner in the view of mutual relationship • E.g., Directly Connected Wholesaler, Competitive Wholesaler, Directly Connected Laptop Wholesaler, Directly Connected CPU Wholesaler

  16. Role Constraints Traditional RBAC concept: Roles are usually defined by the administrator or company’s committee based on the result of a requirement analysis, and then is granted to subjects as needed. The system can predict all the roles that could appear, and each system is independent from each other. The administrator extends, deletes, grants and revokes roles without consideration about other systems. However, the story in the SCMS is different. In traceability network: A single company can play various roles. One company A could play as Manufacture for Company C because it sells many products produced by itself to C. Meanwhile, it also plays a Retailer for D because it sells some raw materials to D. Role Administration can not be done with only one company’s decision most of time.

  17. Role Constraints Figure. Role Constraint

  18. Role Constraints Mutual exclusive: In traditional RBAC, two roles are mutual exclusive means they can not be assigned to a same user. In traceability network, mutual exclusive roles are associated Object Class(es). That means, one company can not be assigned two roles with the same EPC Object Class(es). Or in other words, two roles are mutual exclusive when associating with same EPC Object Class(es).

  19. Role administration • One motivation behind employing a RBAC system is to ease the authorization process. However, employing a RBAC system into large enterprise level system could result in thousands or even millions of roles creation. To manage these roles efficiently becomes a new challenge to the engineers designing the RBAC system. • ERBAC concept provides some distributed ways to deal with Role Administration.

  20. Assign Role • Figure. Role Assignment

  21. Assign Role (Cont.) • Figure. Assign Role

  22. Revoke Role • Figure. Revoke Role

  23. Add Role • Figure. Add Role

  24. Delete Role • Figure. Delete Role

  25. Conclusion

  26. Conclusion • ERBAC: • Low expense to adopt • Extend traditional RBAC to distributed implementation • Easy to be integrated into existing systems

  27. References • [1] Chand. Raphael and Felber. Pascal “Semantic Peer-to-Peer Overlays for Publish/Subscribe Networks,” Euro-Par 2005 Parallel processing, 30 August - 2 Septempber 2005, Lisbon, Portugal • [2] Chan, C.Y., Fan, W., Felber, P., Garofalakis, M., Rastogi, R.: , “Tree Pattern Aggregation for Scalable XML Data Dissemination,” In: Proceedings of VLDB. (2002).

  28. Thank you! • & • Questions?

  29. A figure to explain X.509 • Figure. Insert operation[1]

  30. Figure. An requirement of counterfeit[1] Introduction of Traceability Network

  31. Activity Diagram for Role Assignment • Figure. Activity Diagram for Role Assignment

  32. Organizing Peers According to Containment • Maintaining the Containment Hierarchy Tree • Join steps: • Calculate containment relationship • Connect to parent with the highest depth • Reorganizing the Hierarchy Tree (always, never, periodically) • Leave steps: • If the node is part of an equivalence tree, simply perform a leaf promotion • If the node is not part of an equivalence tree, reconnecting this node’s children to their grand-parent.

  33. Organizing Peers According to Containment • Figure. Insert operation[1]

More Related