دانلود کتاب INCITS 565-2020 Information Technology - Next Generation Access Control (NGAC)

فهرست مطالب :

1 Scope
2 Normative references
3 Definitions, symbols, abbreviations, and conventions
3.1 Definitions
3.1.1 Foundational terms
3.1.1.1 Real system
3.1.1.2 Resource
3.1.1.3 Access control
3.1.1.4 System environment
3.1.1.5 Entity
3.1.1.6 Identifier
3.1.1.7 Policy
3.1.1.8 Security model
3.1.1.9 Policy information
3.1.1.10 Authorization
3.1.1.11 Authorization state
3.1.1.12 Authorized
3.1.2 Basic policy-oriented terms
3.1.2.1 Policy entity
3.1.2.2 User
3.1.2.3 Object
3.1.2.4 User attribute
3.1.2.5 Object attribute
3.1.2.6 Policy class
3.1.2.7 Attribute
3.1.2.8 Container
3.1.2.9 Policy element
3.1.2.10 Access right
3.1.2.11 Access right set
3.1.2.12 Operation
3.1.3 Advanced policy-oriented terms
3.1.3.1 Configured relation
3.1.3.2 Assignment relation
3.1.3.3 Assignment
3.1.3.4 Path
3.1.3.5 Path length
3.1.3.6 Containment
3.1.3.7 Ascendant
3.1.3.8 Immediate ascendant
3.1.3.9 Descendant
3.1.3.10 Immediate descendant
3.1.3.11 Referent
3.1.3.12 Attribute set
3.1.3.13 Policy element diagram
3.1.3.14 Association relation
3.1.3.15 Association
3.1.3.16 Prohibition relation
3.1.3.17 Prohibition
3.1.3.18 Obligation relation
3.1.3.19 Event response
3.1.3.20 Event pattern
3.1.3.21 Obligation
3.1.3.22 Derived relation
3.1.3.23 Privilege relation
3.1.3.24 Restriction relation
3.1.4 Functionally oriented terms
3.1.4.1 Trusted entity
3.1.4.2 Functional entity
3.1.4.3 Functional architecture
3.1.4.4 Client Application (CA)
3.1.4.5 Process
3.1.4.6 Access attempt
3.1.4.7 Access request
3.1.4.8 Access decision
3.1.4.9 Event context
3.1.4.10 Policy Decision Point (PDP)
3.1.4.11 Policy Enforcement Point (PEP)
3.1.4.12 Event Processing Point (EPP)
3.1.4.13 Policy Information Point (PIP)
3.1.4.14 Policy Administration Point (PAP)
3.1.4.15 Resource Access Point (RAP)
3.1.4.16 Session
3.2 Symbols and acronyms
3.3 Keywords
3.4 Conventions
4 Reference architecture
4.1 Functional architecture
4.2 Information flows
4.2.1 Introduction
4.2.2 Resource access information flow
4.2.3 Administration access information flow
4.2.4 Event context information flow
5 Functional entity descriptions and requirements
5.1 Background
5.2 Common requirements
5.2.1 Overview
5.2.2 Exclusivity
5.2.3 Discoverability
5.2.4 Trustworthiness
5.2.5 Secure interactivity
5.2.6 Auditability
5.2.7 Resiliency
5.2.8 Extensibility
5.3 PEP requirements
5.4 PDP requirements
5.5 EPP requirements
5.6 PAP requirements
5.7 PIP requirements
5.8 RAP requirements
6 Security model
6.1 Overview
6.2 Basic elements
6.2.1 Background
6.2.2 Users
6.2.3 Processes
6.2.4 Objects
6.2.5 Operations
6.2.6 Access rights
6.2.7 User attributes
6.2.8 Object attributes
6.2.9 Policy classes
6.3 Relations
6.3.1 Background
6.3.2 Assignment
6.3.3 Association
6.3.4 Prohibition
6.3.4.1 Background
6.3.4.2 User-based prohibitions
6.3.4.3 Process-based prohibitions
6.3.4.4 Attribute-based prohibitions
6.3.5 Obligation
6.4 Administrative commands
6.4.1 Background
6.4.2 Semantic definitions
6.4.2.1 Authorization state
6.4.2.2 Element creation
6.4.2.3 Element deletion
6.4.2.4 Relation formation
6.4.2.5 Relation rescindment
6.5 Access adjudication
7 Interface specifications
7.1 Background
7.2 Interface descriptions
7.3 PDP interfaces
7.3.1 Overview
7.3.2 Access request adjudication
7.3.3 Event response evaluation
7.4 EPP interface
7.4.1 Overview
7.4.2 Event context processing
7.5 PAP interfaces
7.5.1 Overview
7.5.2 Policy inquiry
7.5.3 Policy adjustment
8 Implementation considerations
8.1 Interoperation of functional entities
8.2 Policy
8.2.1 Representation
8.2.2 Updates
8.2.3 Performance
8.3 Race conditions
8.4 Collocated functional entities
8.4.1 PEP collocation
8.4.2 PDP collocation
8.4.3 EPP collocation
8.4.4 PAP collocation
Annex A (informative) Pattern and response grammars
Annex A - Pattern and response grammars
A.1 Overview
A.2 Event pattern grammar
A.2.1 Base specification
A.2.2 User specification
A.2.3 Policy class specification
A.2.4 Operation specification
A.2.5 Policy element specification
A.3 Event response grammar
A.3.1 Base Specification
A.3.2 Create action specification
A.3.3 Assign action specification
A.3.4 Grant action specification
A.3.5 Deny action specification
A.3.6 Delete action specification
A.4 Grammar considerations
Annex B - Mappings of existing access control schemes
B.1 Overview
B.2 Chinese wall
B.2.1 Background
B.2.2 Mapping considerations
B.2.3 Example mapping
B.3 Role-based access control
B.3.1 Background
B.3.2 Mapping considerations
B.3.3 Example mapping
B.3.3.1 Constituent analysis
B.3.3.2 Roles and role hierarchy
B.3.3.3 Permission assignment
B.3.3.4 User assignment
B.3.3.5 SoD constraints
B.4 Bibliography
Annex C - Policy computations
C.1 Introduction
C.2 Background
C.3 Algorithm details
C.3.1 Find the source association nodes
C.3.2 Find the destination association nodes
C.3.3 Find the objects of interest
C.3.4 Determine the policy classes that contain an identified object
C.3.5 Determine the access rights that pertain to a containing policy class
C.3.6 Determine the user’s access rights for each object of interest
C.4 Algorithm variants
Annex D - Accommodation of environmental attributes
D.1 Introduction
D.2 Approach
D.3 Example policy
Annex E - Delegation of administrative responsibilities
E.1 Introduction
E.2 Policy domain definition