Browse Prior Art Database

Centralized Security Role Masking in a Cloud Environment Disclosure Number: IPCOM000244291D
Publication Date: 2015-Nov-30
Document File: 3 page(s) / 161K

Publishing Venue

The Prior Art Database


Disclosed is a method for making a user role in a typical role-based access control system to provide more granularity and control in managing multi-tenant environments such as clouds and other shared services. This method allows more flexibility and provides a greater level of control for system administrators to manage their access controls. As enterprises shift to both on premise and off premise clouds, this capability is increasingly important to help maintain the required security controls.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 40% of the total text.

Page 01 of 3

Centralized Security Role Masking in a Cloud Environment

Centralized Security Role Masking in a Cloud Environment

Disclosed is a method for masking and unmasking a user role in a typical Role-Based Access Control (RBAC) implementation to limit access selectively without having to change the properties of the role or the user. To limit access in a centralized Lightweight Directory Access Protocol (LDAP) environment with RBAC users, the roles are maintained in the LDAP server. These roles are specific to each user and governed by the centralized LDAP server. When the same role is assigned to different users residing on multiple hosts, the rules and permission remain the same. There is no granularity within a defined role.

    With the existing technology, consider the community cloud where individual administrators manage different cloud environments belonging to same organization. In a multi-cloud environment such as this, it is often required to centrally manage all of the administrators. Assume these administrators are given permission through a centralized LDAP server based on their appropriate roles. These centralized roles will grant the same permission to all of the administrators regardless of which cloud they manage. This is a benefit of LDAP and RBAC because it enables ease of use in managing the roles and users, but it is also a limitation. There may be some circumstances, where some or all of the administrators have to be restricted from performing cloud administration such as during maintenance or scheduled change windows. The only method today is to remove the roles from the users' individual profile to prevent their access to system administration functions. This is because a role cannot be removed if it is assigned to a user. If there are 100+ users, then each of the users' properties would have to be changed to remove the role. This is an inefficient and risky approach because it could lead to errors or could impact dependent user roles which may lead to a serious a security violation and open up the system to vulnerabilities.

    The disclosed method introduces a method to mask and unmask a user role to limit access without actually changing the properties of the role or the user. The method used to implement this idea introduces a new role attribute to specify the state of a role. Normally, the role attributes contains role_name, role_id, groups, authorizations, etc. For each attribute, an object will be created in the LDAP server to store these values. With this invention, a new role_stateLDAP attribute is being introduced to centrally control the effectiveness of the role regardless of where the users intend to use it.

    When therole_stateattribute is set to active, the effectiveness of the role remains active in all users' profiles. When role_stateis set to inactive , the role effectiveness will be masked. This method would either allow or disallow all users.

    Sometime it may be still required to grant permission on...