| <!-- |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| --> |
| <html> |
| <head> |
| <title>Package Documentation for org.apache.directory.fortress</title> |
| </head> |
| <body> |
| This package contains public APIs that are used by Java programs to provide Access Management |
| functionality. The APIs are organized into categories or 'Managers'. Each manager controls a |
| specific area of functionality. |
| <h3>Managers</h3> |
| <ol> |
| <li>{@link org.apache.directory.fortress.core.AccessMgr} is used for RBAC runtime security checking</li> |
| <li>{@link org.apache.directory.fortress.core.AdminMgr} is for RBAC provisioning</li> |
| <li>{@link org.apache.directory.fortress.core.AuditMgr} is for interrogating OpenLDAP audit and historical logs</li> |
| <li>{@link org.apache.directory.fortress.core.DelAccessMgr} is used for ARBAC runtime security checking</li> |
| <li>{@link org.apache.directory.fortress.core.DelAdminMgr} is for ARBAC provisioning</li> |
| <li>{@link org.apache.directory.fortress.core.DelReviewMgr} is used to interrogate ARBAC policy</li> |
| <li>{@link org.apache.directory.fortress.core.PwPolicyMgr} is for performing Password policy provisioning and |
| interrogation |
| </li> |
| <li>{@link org.apache.directory.fortress.core.ReviewMgr} is used to interrogate RBAC policy</li> |
| </ol> |
| <p> |
| The <b>org.apache.directory.fortress</b> package provides managers, factories and exception classes that can be |
| thrown when |
| fortress needs to report an error status code back to caller. The fortress manager APIs are based on standards like |
| <a href="http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf">RBAC</a>, |
| <a href="http://profsandhu.com/journals/tissec/p113-oh.pdf">ARBAC02</a> and |
| <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">Password Policy for LDAP Directories</a>. |
| A {@link org.apache.directory.fortress.core.model.Constraint} mechanism is used by fortress to control the |
| {@link org.apache.directory.fortress.core.util.time.Time}, {@link org.apache.directory.fortress.core.util.time.Date} |
| and |
| {@link org.apache.directory.fortress.core.util.time.Day} of week for when a |
| {@link org.apache.directory.fortress.core.model.User} or {@link org.apache.directory.fortress.core.model.UserRole} |
| entity can be activated within a {@link org.apache.directory.fortress.core.model.Session}. |
| There is also a lockout mechanism to temporarily bar entities from activating. |
| AuditMgr may be used to interrogate OpenLDAP audit and historical information. |
| </p> |
| |
| <hr> |
| |
| <h2>Description of Package Contents</h2> |
| This package contains APIs to do the following |
| <ol> |
| <li>Role Based Access Control (RBAC)</li> |
| <li>Administrative Role Based Access Control (ARBAC)</li> |
| <li>Password Policies</li> |
| <li>Audit Trail</li> |
| </ol> |
| The following sections provides more info on each. |
| |
| <hr> |
| |
| <h3>1. Role Based Access Control description</h3> |
| |
| <p> |
| Many of the method names and signatures within this package were taken directly from ANSI INCITS 359-2004. |
| The RBAC Functional specification describes administrative operations for the creation |
| and maintenance of RBAC element sets and relations; administrative review functions for |
| performing administrative queries; and system functions for creating and managing |
| RBAC attributes on user sessions and making access control decisions. |
| <p/> |
| |
| <h4>RBAC0 - Core</h4> |
| <p> |
| Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, |
| update, delete identity data and perform identity and access control decisions during runtime operations. |
| <p/> |
| <img src="./doc-files/RbacCore.png" alt="Apache Fortress Core"/> |
| |
| <h4>RBAC1 - General Hierarchical Roles</h4> |
| Simplifies role engineering tasks using inheritance of one or more parent roles. |
| <img src="./doc-files/RbacHier.png" alt="Hierarchical RBAC"/> |
| |
| <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4> |
| <p> |
| Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which |
| roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help |
| enterprises meet strict compliance regulations. |
| <p/> |
| <img src="./doc-files/RbacSSD.png" alt="RBAC Static Separpation of Duties"/> |
| |
| <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4> |
| <p> |
| Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that |
| facilitate authorization dual control and two man policy restrictions during runtime security checks. |
| <p/> |
| <img src="./doc-files/RbacDSD.png" alt="RBAC Dynamic Separation of Duties"/> |
| |
| <hr> |
| |
| <h3>2. Administrative Role Based Access Control (ARBAC) description</h3> |
| These APIs map directly to similar named APIs specified by ARBAC02 functions. |
| The ARBAC Functional specification describes delegated administrative |
| operations for the creation and maintenance of ARBAC element sets and relations. |
| Delegated administrative review functions for performing administrative queries |
| and system functions for creating and managing ARBAC attributes on user sessions and making delegated |
| administrative access control decisions. |
| <h4>ARBAC02 Diagram</h4> |
| <img src="./doc-files/ARbac.png" alt="ARBAC02"/> |
| <p> |
| Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. |
| ARBAC provides large enterprises the capability to delegate administrative authority to |
| users that reside outside of the security admin group. |
| Decentralizing administration helps because it provides security provisioning capability to |
| work groups without sacrificing regulations for accountability or traceability. |
| <p/> |
| |
| <hr> |
| |
| <h3>3. Password Policy description</h3> |
| Fortress APIs store and interrogate policies on <a href="http://www.openldap.org/">OpenLDAP</a> which supports the |
| IETF <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">Password Policies LDAP directories</a> |
| draft. |
| Policies may be applied at the user, group or global level. |
| Password enforcement options include: |
| <ul> |
| <li>A configurable limit on failed authentication attempts.</li> |
| <li>A counter to track the number of failed authentication attempts.</li> |
| <li>A time frame in which the limit of consecutive failed authentication attempts must happen before action is |
| taken. |
| </li> |
| <li>The action to be taken when the limit is reached. The action will either be nothing, or the account will be |
| locked. |
| </li> |
| <li>An amount of time the account is locked (if it is to be locked) This can be indefinite.</li> |
| <li>Password expiration.</li> |
| <li>Expiration warning</li> |
| <li>Grace authentications</li> |
| <li>Password history</li> |
| <li>Password minimum age</li> |
| <li>Password minimum length</li> |
| <li>Password Change after Reset</li> |
| <li>Safe Modification of Password</li> |
| </ul> |
| |
| <h4>Password Policy diagram</h4> |
| The following is an example of policies that can be configured. There is no limit to the number of different policies |
| that can be created and enforced. |
| <img src="./doc-files/PasswordPolicy.png" alt="Password Policies"/> |
| |
| <h3>4. History and Audit trail using OpenLDAP</h3> |
| Provides an OpenLDAP access log retrieval mechanism that enables security event monitoring. |
| <ol> |
| <li>Authentication events:</li> |
| <li>Session enablement events</li> |
| <li>Authorization events</li> |
| <li>Entity mods and deletes</li> |
| </ol> |
| |
| <h4>Diagram of Audit Events</h4> |
| <img src="./doc-files/Audit.png" alt="Auditing"/> |
| |
| All events include Fortress context, see {@code FortEntity}. |
| <h4>The following APIs generate events subsequently stored in this access log:</h4> |
| <ul> |
| <li> {@link org.apache.directory.fortress.core.AccessMgr}</li> |
| <li> {@link org.apache.directory.fortress.core.AdminMgr}</li> |
| <li> {@link org.apache.directory.fortress.core.AdminMgr}</li> |
| <li> {@link org.apache.directory.fortress.core.DelAdminMgr}</li> |
| <li> {@link org.apache.directory.fortress.core.ConfigMgr}</li> |
| <li> {@link org.apache.directory.fortress.core.PwPolicyMgr}</li> |
| </ul> |
| </body> |
| </html> |
| |