AccessMgris used for RBAC runtime security checking
AdminMgris for RBAC provisioning
AuditMgris for interrogating OpenLDAP audit and historical logs
DelAccessMgris used for ARBAC runtime security checking
DelAdminMgris for ARBAC provisioning
DelReviewMgris used to interrogate ARBAC policy
PwPolicyMgris for performing Password policy provisioning and interrogation
ReviewMgris used to interrogate RBAC policy
The org.apache.directory.fortress package provides managers, factories and exception classes that can be
fortress needs to report an error status code back to caller. The fortress manager APIs are based on standards like
Password Policy for LDAP Directories.
Constraint mechanism is used by fortress to control the
Day of week for when a
entity can be activated within a
There is also a lockout mechanism to temporarily bar entities from activating.
AuditMgr may be used to interrogate OpenLDAP audit and historical information.
Description of Package ContentsThis package contains APIs to do the following
- Role Based Access Control (RBAC)
- Administrative Role Based Access Control (ARBAC)
- Password Policies
- Audit Trail
1. Role Based Access Control description
Many of the method names and signatures within this package were taken directly from ANSI INCITS 359-2004. The RBAC Functional specification describes administrative operations for the creation and maintenance of RBAC element sets and relations; administrative review functions for performing administrative queries; and system functions for creating and managing RBAC attributes on user sessions and making access control decisions.
RBAC0 - Core
Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
RBAC1 - General Hierarchical RolesSimplifies role engineering tasks using inheritance of one or more parent roles.
RBAC2 - Static Separation of Duty (SSD) Relations
Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
RBAC3 - Dynamic Separation of Duty (DSD) Relations
Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
2. Administrative Role Based Access Control (ARBAC) descriptionThese APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
3. Password Policy descriptionFortress APIs store and interrogate policies on OpenLDAP which supports the IETF Password Policies LDAP directories draft. Policies may be applied at the user, group or global level. Password enforcement options include:
- A configurable limit on failed authentication attempts.
- A counter to track the number of failed authentication attempts.
- A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
- The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
- An amount of time the account is locked (if it is to be locked) This can be indefinite.
- Password expiration.
- Expiration warning
- Grace authentications
- Password history
- Password minimum age
- Password minimum length
- Password Change after Reset
- Safe Modification of Password
Password Policy diagramThe following is an example of policies that can be configured. There is no limit to the number of different policies that can be created and enforced.
4. History and Audit trail using OpenLDAPProvides an OpenLDAP access log retrieval mechanism that enables security event monitoring.
- Authentication events:
- Session enablement events
- Authorization events
- Entity mods and deletes
Diagram of Audit EventsAll events include Fortress context, see
The following APIs generate events subsequently stored in this access log:
Interface Summary Interface Description AccelMgrThis object is a Policy Enforcement Point (PEP) using the OpenLDAP Accelerator Policy Decision Point (PDP) on objects that are provisioned RBAC entities that reside in LDAP directory. AccessMgrThis object performs runtime access control operations on objects that are provisioned RBAC entities that reside in LDAP directory. AdminMgrThis class performs administrative functions to provision Fortress RBAC entities into the LDAP directory. AuditMgrThis interface prescribes methods used to search OpenLDAP's slapd access log. ConfigMgrThis interface prescribes CRUD methods used to manage properties stored within the ldap directory. DelAccessMgrThis interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities that reside in LDAP directory. DelAdminMgrThis class prescribes the ARBAC02 DelAdminMgr interface for performing policy administration of Fortress ARBAC entities that reside in LDAP directory. DelReviewMgrThis class prescribes the ARBAC02 DelReviewMgr interface for performing policy interrogation of provisioned Fortress ARBAC entities that reside in LDAP directory. GroupMgrThis interface prescribes CRUD methods used to manage groups stored within the ldap directory. ManageableInterface allows outside clients to manage security and multi-tenant concerns within the Fortress runtime. PropertyMgr PwPolicyMgrThis class is used to perform administrative and review functions on the PWPOLICIES and USERS data sets. ReviewMgrThis interface prescribes the administrative review functions on already provisioned Fortress RBAC entities that reside in LDAP directory. StandardExceptionInterface that is implemented by exception base class
StandardExceptionused to associate a Fortress error code to the exception instance.
Class Summary Class Description AccelMgrFactoryCreates an instance of the AccelMgr object. AccessMgrFactoryCreates an instance of the AccessMgr object. AdminMgrFactoryCreates an instance of the AdminMgr object. AuditMgrFactoryCreates an instance of the AuditMgr object. ConfigMgrFactoryCreates an instance of the ConfigMgr object. DelAccessMgrFactoryCreates an instance of the DelAccessMgr object. DelAdminMgrFactoryCreates an instance of the DelAdminMgr object. DelReviewMgrFactoryCreates an instance of the DelReviewMgr object. GlobalErrIdsThis module contains error identifiers that are used when exception need be thrown. GlobalIdsThis class contains constants that must be defined globally but are not to be used by external programs. GroupMgrFactoryCreates an instance of the ConfigMgr object. PropertyMgrFactory PwPolicyMgrFactoryCreates an instance of the PwPolicyMgr object. ReviewMgrFactoryCreates an instance of the ReviewMgr object.
Exception Summary Exception Description AuthorizationExceptionThis exception extends
SecurityExceptionand is thrown when administrative permission check fails.
BaseExceptionBase exception class for checked exceptions thrown. BaseRuntimeExceptionBase runtime exception class for Fortress runtime exceptions. CfgExceptionThis exception extends
SecurityExceptionand is thrown when Fortress cannot find correct cfg for a particular entity.
CfgRuntimeExceptionThis exception extends
BaseRuntimeExceptionand is thrown when Fortress config startup failed.
CreateExceptionThis exception extends
SecurityExceptionand is thrown when DAO cannot create entity.
FinderExceptionThis exception extends
SecurityExceptionand is thrown when DAO cannot find entity.
PasswordExceptionThis exception extends
SecurityExceptionand is thrown when password check fails.
RemoveExceptionThis exception extends
SecurityExceptionand is thrown when DAO cannot delete entity.
RestExceptionThis exception extends
SecurityExceptionand is thrown when Fortress cannot call Fortress Rest to perform a particular operation via RESTful interface.
SecurityExceptionThis exception is declared to be thrown by all APIs within Fortress Manager interfaces: (
UpdateExceptionThis exception extends
SecurityExceptionand is thrown when DAO cannot update entity.
ValidationExceptionThis exception extends
SecurityExceptionand is thrown when Fortress cannot validate entity.