A secure, scalable, fine grained and flexible access control is extremely important for the digit... more A secure, scalable, fine grained and flexible access control is extremely important for the digital society. The approaches used until now (RBAC, Groups in an LDAP Directory, XACML) alone may not be able to deliver to this challenge. Building from past experiences in the Industry, we propose an Access Management Framework where the central role is played by a token containing all the information needed to implement fine grained access control. This Authorization Token should be signed by the approver and sent inside a "claim" to the application at session time. The application, after checking the validity of the token will control access to the desired resource. In this way we can achieve fine granular access control, scalability and independence from network topologies.
The Shape of a Directory Information Tree contributes much to the success of an LDAP Project:
A w... more The Shape of a Directory Information Tree contributes much to the success of an LDAP Project: A well-designed structure can grow without problems, but if you are challenged for the first time, it may be difficult to design the right tree, given the great flexibility of LDAP. How many containers? How deep has to be the Tree? What kind of Information should we store in them? We analyze the factors to take into account when designing a DIT and we discover they are not always related to the organizational structure.
We store information in an LDAP directory using Attributes and we group attributes in objects. Th... more We store information in an LDAP directory using Attributes and we group attributes in objects. These objects are built on a blueprint, the “objectClass” where we define what is in and what is not. Finally we store the definition of the attributes and object classes into a special object called “schema”. As we start with LDAP, the schema contains already attribute and class definitions which have been defined after a careful standardisation process, but often we need to extend these definitions to store information specific to our project and not included in the standard schema.
The goal of this tutorial is to give instructions and discuss the best practices of how to extend an LDAP schema, getting a clear design that may support an organisation for many years.
A secure, scalable, fine grained and flexible access control is extremely important for the digit... more A secure, scalable, fine grained and flexible access control is extremely important for the digital society. The approaches used until now (RBAC, Groups in an LDAP Directory, XACML) alone may not be able to deliver to this challenge. Building from past experiences in the Industry, we propose an Access Management Framework where the central role is played by a token containing all the information needed to implement fine grained access control. This Authorization Token should be signed by the approver and sent inside a "claim" to the application at session time. The application, after checking the validity of the token will control access to the desired resource. In this way we can achieve fine granular access control, scalability and independence from network topologies.
The Shape of a Directory Information Tree contributes much to the success of an LDAP Project:
A w... more The Shape of a Directory Information Tree contributes much to the success of an LDAP Project: A well-designed structure can grow without problems, but if you are challenged for the first time, it may be difficult to design the right tree, given the great flexibility of LDAP. How many containers? How deep has to be the Tree? What kind of Information should we store in them? We analyze the factors to take into account when designing a DIT and we discover they are not always related to the organizational structure.
We store information in an LDAP directory using Attributes and we group attributes in objects. Th... more We store information in an LDAP directory using Attributes and we group attributes in objects. These objects are built on a blueprint, the “objectClass” where we define what is in and what is not. Finally we store the definition of the attributes and object classes into a special object called “schema”. As we start with LDAP, the schema contains already attribute and class definitions which have been defined after a careful standardisation process, but often we need to extend these definitions to store information specific to our project and not included in the standard schema.
The goal of this tutorial is to give instructions and discuss the best practices of how to extend an LDAP schema, getting a clear design that may support an organisation for many years.
Uploads
Papers by Giovanni Baruzzi
A well-designed structure can grow without problems, but if you are challenged for the first time, it may be difficult to design the right tree, given the great flexibility of LDAP. How many containers? How deep has to be the Tree? What kind of Information should we store in them? We analyze the factors to take into account when designing a DIT and we discover they are not always related to the organizational structure.
As we start with LDAP, the schema contains already attribute and class definitions which have been defined after a careful standardisation process, but often we need to extend these definitions to store information specific to our project and not included in the standard schema.
The goal of this tutorial is to give instructions and discuss the best practices of how to extend an LDAP schema, getting a clear design that may support an organisation for many years.
A well-designed structure can grow without problems, but if you are challenged for the first time, it may be difficult to design the right tree, given the great flexibility of LDAP. How many containers? How deep has to be the Tree? What kind of Information should we store in them? We analyze the factors to take into account when designing a DIT and we discover they are not always related to the organizational structure.
As we start with LDAP, the schema contains already attribute and class definitions which have been defined after a careful standardisation process, but often we need to extend these definitions to store information specific to our project and not included in the standard schema.
The goal of this tutorial is to give instructions and discuss the best practices of how to extend an LDAP schema, getting a clear design that may support an organisation for many years.