Package org.apache.directory.fortress.core

This package contains public APIs that are used by Java programs to provide Access Management functionality. The APIs are organized into categories or 'Managers'. Each manager controls a specific area of functionality.

Managers

  1. AccessMgr is used for RBAC runtime security checking
  2. AdminMgr is for RBAC provisioning
  3. AuditMgr is for interrogating OpenLDAP audit and historical logs
  4. DelAccessMgr is used for ARBAC runtime security checking
  5. DelAdminMgr is for ARBAC provisioning
  6. DelReviewMgr is used to interrogate ARBAC policy
  7. PwPolicyMgr is for performing Password policy provisioning and interrogation
  8. ReviewMgr is used to interrogate RBAC policy

The org.apache.directory.fortress package provides managers, factories and exception classes that can be thrown when fortress needs to report an error status code back to caller. The fortress manager APIs are based on standards like RBAC, ARBAC02 and Password Policy for LDAP Directories. A Constraint mechanism is used by fortress to control the Time, Date and Day of week for when a User or UserRole entity can be activated within a Session. There is also a lockout mechanism to temporarily bar entities from activating. AuditMgr may be used to interrogate OpenLDAP audit and historical information.


Description of Package Contents

This package contains APIs to do the following
  1. Role Based Access Control (RBAC)
  2. Administrative Role Based Access Control (ARBAC)
  3. Password Policies
  4. Audit Trail
The following sections provides more info on each.

1. Role Based Access Control description

Many of the method names and signatures within this package were taken directly from ANSI INCITS 359-2004. The RBAC Functional specification describes administrative operations for the creation and maintenance of RBAC element sets and relations; administrative review functions for performing administrative queries; and system functions for creating and managing RBAC attributes on user sessions and making access control decisions.

RBAC0 - Core

Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.

Apache Fortress Core

RBAC1 - General Hierarchical Roles

Simplifies role engineering tasks using inheritance of one or more parent roles. Hierarchical RBAC

RBAC2 - Static Separation of Duty (SSD) Relations

Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.

RBAC Static Separpation of Duties

RBAC3 - Dynamic Separation of Duty (DSD) Relations

Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.

RBAC Dynamic Separation of Duties


2. Administrative Role Based Access Control (ARBAC) description

These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.

ARBAC02 Diagram

ARBAC02

Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.


3. Password Policy description

Fortress APIs store and interrogate policies on OpenLDAP which supports the IETF Password Policies LDAP directories draft. Policies may be applied at the user, group or global level. Password enforcement options include:
  • A configurable limit on failed authentication attempts.
  • A counter to track the number of failed authentication attempts.
  • A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
  • The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
  • An amount of time the account is locked (if it is to be locked) This can be indefinite.
  • Password expiration.
  • Expiration warning
  • Grace authentications
  • Password history
  • Password minimum age
  • Password minimum length
  • Password Change after Reset
  • Safe Modification of Password

Password Policy diagram

The following is an example of policies that can be configured. There is no limit to the number of different policies that can be created and enforced. Password Policies

4. History and Audit trail using OpenLDAP

Provides an OpenLDAP access log retrieval mechanism that enables security event monitoring.
  1. Authentication events:
  2. Session enablement events
  3. Authorization events
  4. Entity mods and deletes

Diagram of Audit Events

Auditing All events include Fortress context, see FortEntity.

The following APIs generate events subsequently stored in this access log: