WebApp Sec: Re: Model for Field level Access Control

["Cesar Osorio" <COsorio () awb com au>]

S,

I am currently in a project for Directory structures and Data access, the
concept is pretty simple,  google for ROLE BASED SECURITY.
The principle for this is "Users only see what is needed and not more and
not less".

Example:
            Description       ROLE        Data Access
            Supervisor  supervisor  Input, delete, modify, etc, some
reporting
            Manager     Manager     Reports and Some Finance
            Clerk       Data entry  Input only not delete

and so on... To make it easier, the first thing you need to do is to
determine ROLES and Job Functions, then create a matrix with all of this
and applied it to your data, document everything as the organisation will
change !?! and keep a master list of all roles and access required, as soon
as a role changes the access right changes.

Another example:
                  Description             ROLE              DATA ACCESS
                  IT Developer                  web-developer
Development systems
                  IT Developer team leader      IT-devTL
Development systems + Team leading data area
                  IT Developers manager         IT-dev-mgr        Team
leading data area + Managers area.
Have Fun

Regards,

Cesar Osorio
Operation Security Analyst



                                                                                                                        
               
                      "Sundaram,                                                                                        
               
                      Ramasubramanian          To:       <webappsec () securityfocus com>                               
                  
                      (Cognizant)"             cc:                                                                      
               
                      <SRamasub () chn cog        Subject:  Model for Field level Access Control                        
                  
                      nizant.com>                                                                                       
               
                                                                                                                        
               
                      26/02/2004 16:18                                                                                  
               
                                                                                                                        
               
                                                                                                                        
               




HI,
  We are designing a data model for a web application which requires
attribute level access control for records.
  This application manages hundreds of thousands of records of people. The
users of this application work on these records by modifying the attributes
of the people, adding new entries, searching for people etc. Access to
these records needs to be restricted based on the following factors.
1)Userid / Role of the logged in user
2)The record he is trying to access
3)Fields of the record that he is trying to access and
4)The action he is trying to perform on the record(edit,delete or create a
new record)

Has anyone come across an efficient model to represent/evaluate these
restrictions? These records are stored in a database.

Any help in this regard is greatly appreciated.

Thanks,
Rams

(See attached file: InterScan_Disclaimer.txt)

Attachment: InterScan_Disclaimer.txt
Description: