140 likes | 265 Views
Access Control for the JCOP Framework. Sascha Schmeling IT/CO. Overview. Goals of Access Control Context JCOP Framework Guidelines SASG Guidelines PVSS Boundary Conditions A Proposal Outlook and Planning. Goals. What to protect? What to protect against? malicious attacks
E N D
Access Controlfor the JCOP Framework Sascha Schmeling IT/CO
Overview • Goals of Access Control • Context • JCOP Framework Guidelines • SASG Guidelines • PVSS Boundary Conditions • A Proposal • Outlook and Planning Sascha Schmeling, IT/CO
Goals • What to protect? • What to protect against? • malicious attacks • typing (clicking errors) Sascha Schmeling, IT/CO
Inside the PVSS System • connections between managers will be secure … • What about external connections? • DIM • OPC • What about scripts, panels, libraries? Sascha Schmeling, IT/CO
What to protect against? • malicious attacks • attacks from hackers from outside • “attacks” from ambitious users from inside • non-malicious mistakes • typing mistakes like Ecal instead of Hcal • typing mistakes in settings • ambitious system testers Sascha Schmeling, IT/CO
JCOP Framework Guidelines (I) • Users • all operators and developers will be given a PVSS user account • Groups • PVSS user groups will be established with privileges corresponding to specific roles • Privilege • a user may be allocated a set of privileges directly or indirectly through his association with a particular group • Object • what is accessed in the system (in general this would refer to a CU or a DU) • Domain • this is some user defined grouping of objects, e.g. sub-detector • Object Access Rights • it will be possible to assign a required privilege level to an object or category within the system Sascha Schmeling, IT/CO
JCOP Framework Guidelines (II) • Privilege Levels • Monitor • the user is allowed to view the object but cannot change any parameters • Control • the user is required to have this privilege level to be able to change a restricted range of a particular object’s parameters • Debug • the user is required to have this privilege level to be able to change all parameters of a particular object • Modify • the user is required to have this privilege level to be able to modify the structure of this particular object Sascha Schmeling, IT/CO
JCOP Framework Guidelines (III) • A user will be assigned a privilege level for each object or category defined for that experiment. • Access control should be applied via the HMI, i.e. on buttons, list box items, etc., whose actions need access protection. • A Framework function will be provided to check whether the current user has the privilege to perform an action: • fwGetUserPermission(string privilegeLevelRequired, string domain, boolean &granted, dyn_string &exception) • A Control System developer should use the above function on opening a panel to check whether the current user has the necessary privilege to access the actions possible from this panel and if not to grey out the buttons, list box items, etc., which correspond to actions for which this user does not have the required privilege level. Sascha Schmeling, IT/CO
SASG Guidelines • definitions for Users, Groups, Privilege, and Domain match the JCOP guidelines • privilege levels are stricter than in the JCOP guidelines, and privileges are inclusive • the bits in the permissions word are already defined: • everybody has monitor rights everywhere • 3 bits for Basic, Expert, and Configure • 8 domains • application via the HMI as in the JCOP guidelines is foreseen Sascha Schmeling, IT/CO
PVSS Boundary Conditions • 64 groups with up to 1024 users each • maximum 32 authorization levels (privileges) • 5 standard authorization levels (privileges) • privilege concept per group Sascha Schmeling, IT/CO
Open Questions • Where do we want to protect? • HMI level? • DP level? • How many domains? • How many users? • Shall we use the PVSS permissions? Sascha Schmeling, IT/CO
A First Concept • Protection by Licensing • production system licenses should not contain para entries • Protection by Limited Network Access • production machines should not have outside access capabilities, ssh-tunnels are possible • Protection by File System Rights • have central file server(s) for needed files • Protection by HMI • only propose functions that the particular user may execute • Protection by Relocation • put the functionality into encrypted libraries • Protection on DP level • only for very special DPs Sascha Schmeling, IT/CO
A First Component The JCOP Framework Access Control Component will consist of • panels for user management • a function • fwGetUserPermission(levelRequired,domain) • guidelines • where to put functionality • how to secure the system (files, …) • legacy functions Sascha Schmeling, IT/CO
Project Planning Sascha Schmeling, IT/CO