Data Visibility in RBAC and Rule-based systems issues

Digital certificates
Disaster Recovery
Identity & Access Management
Information risk management
Risk management
Security management
Security products
Security Program Management
Security tokens
Single sign-on
Actually, I have two questions: 1) are there known solutions of how to control access to data ( database records ) in RBAC system where business policy states, e.g., that data belonds to the users in certain geographical are may be viewed by users located in the same area? This is quite actual issue for financial organizations where brokers deal with client's data worldwide. 2)If one uses a Rule-based system for aforementioned example and the Rule is implemented as a SQL filtering statement ( in 'WHERE' clause ), it is very convenient solution but, to my understanding, it is the less secured solution. I mean, if access control is performed right inside of protected data storage, a single breach of it exposes the whole storage, at once; I assume, that the control must be applied BEFORE process gets into database in this case. That is, such Rule implementation should not be acceptable from a SECURITY perspective. What is your opinion on this issue ? ( I am aware of business requirements of having high performances and making security 'invisible', and I am not agrre with it: security is the TRUST, business without trust is almost nothing, so business must pay for the trust, i.e for the security, by investing into business solution scalability instead of requiring security to not affect existing performances ) Thank you, - Michael Poulin

Answer Wiki

Thanks. We'll let you know when a new response is added.

There exists a lot of doctrine, but no easy answers.

Access can be regulated by role, task and sometimes security level (secret, top secret or some commercial equivalent, but the more granular these become, the tougher it gets to administer them and to adapt to new conditions (reorgs, changes in role, task, etc.). What you specified is ?data-regulated? filtering, and the question then becomes who has done the work to relate role, level and task to data (entities, attributes, etc.). SAP, for example, offers all sorts of ways to “filter” according to role and task, but within those applying additional “data regulated” access filters is still challenging.

One way ?data regulated? access filtering can be implemented is through Business Intelligence/data warehouse approaches. The extract, transform and load process in effect prepackages the source data and keeps the users out of the source applications. Within the data, you can further prepackage data into cubes that not only work as filters, but often at least as importantly help otherwise confused users to get to what they want. A lot of data access violations are not deliberate, but the inadvertant result of a query writer forgetting to qualify a query.

If the access requirements you have in mind are relatively specific(e.g., enable a user to check inventory availability with dynamic user-level inventory location filtering), or perhaps you need to include write capabilities into the source application, Web Services can be the answer. Developing a ?Web Service? that supports the specific task can be used to publish suitably focused query or update capability. To invoke that capability, the user would then need access to some system that can issue a conforming web services call to your web service, and therefore the web service dialog call-respond dialog makes it easy to establish arms length relationships. The web services information request – although it indirectly would kick off SQL – would come as an XML document that would need to conform to the specs defined in your web service call, and the calling program would never see the SQL.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: