HomeDownloadsUser GuideDevelopment

User Guide: Overview Cockpit

The following tables show current differences between the actual Permis version of VBS and the version of the University of Kent.

PDP Policy Decision Point

Name Description Kent VBS
File AC Repository An attribute certificate repository that read AC's from the local file system.
LDAP AC Repository An attribute certificate repository that read AC's from a LDAP directory.
WebDav AC Repository An attribute certificate repository that read AC's from a WebDav directory.
Virtual AC Repository An attribute certificate repository that read AC's from different directories.
Managed Permis A policy of a running PDP can be reloaded without restarting the PDP.
Certificate Chain Verification Certificate chains with size greater than one are supported.
PDP Setup PDP setup is simplified and a builder for a new PDP is provided. More than one PDP could run on the same Java VM. (No static singleton configuration)
Roles (RBAC 0) Role based access control.
Role Hierarchies (RBAC 1) Hierarchical Role Based Access Control. A superior role gets all privileges of a subordinate role.
Target Access Rules A target access rule defines a set of roles that are allowed to access a target.
Conditions for Target Access Rules Conditions are additional constraints that must be true for a target access rule. E. g. access is only granted between 9am and 11am.
Role Assignment Rules A role assignment rule defines which subjects are allowed to assign which roles, and if a subject may delegate an assigned role.
Obligations An obligation is an operation specified in a policy that should be performed by the PEP Policy Enforcement Point in conjunction with the enforcement of an authorization decision. (Kent Permis provides a simple String based implementation)
Static Separation of Duties (SoD) Define mutually exclusive roles.
Dynamic Separation of Duties (DSoD) Define mutually exclusive roles in the context of a dynamic session. (Kent-Permis provides a simple in-memory implementation)

Policy Editor

Name Description Kent VBS
Sign or Verify a Policy Creates an attribute certificate containing the actual policy or verify a signed policy.
Publish a Policy Publish a signed policy. E. g. in an LDAP directory.
Create Role AC Create attribute certificates containing user role assignments. (Kent Permis has the ACM Attribute Certificate Manager Editor).
Connect to an LDAP directory Connect the editor to an LDAP directory for selecting resources.
Connect to an WebDav directory Connect the editor to an WbDav directory for selecting resources.
Problem View The editor provides a central problem overview, containing a list of all structural and logical problems of the current policy.
Human Readable Policy The editor provides a human readable description of the policy parts currently edited. Includes also warnings about structural problems. This view can also show the current Permis XML file.
Version Tagging of Policies Policies are under version control and the history of changes is saved.
Comments for Policy Elements The user can write comments for policy elements and save them persistent.
Tutorial / Help A help and a tutorial are available in the editor.
Policy Wizard A simple wizard which helps a user to create a first initial policy.
Integration Projects Several integration project (listed below) can be configured in the editor.
Resources, Actions, Targets Edit simple concepts.
Roles Edit roles and and role hierarchies.
Target Access Rules Edit a target access rule, which defines a set of roles that are allowed to access a target.
Conditions for Target Access Rules Edit constraints for target access rules.
Role Assignment Rules Edit a role assignment rule, which defines which subjects are allowed to assign which roles, and if delegation of role assignment is allowed.
Obligations Edit an obligation, which must be enforced by the PEP.
Static Separation of Duties (SoD) Edit mutually exclusive roles.
Dynamic Separation of Duties (DSoD) Edit mutually exclusive roles in the context of a dynamic session.

Security

Name Description Kent VBS
JCE Java Cryptography Extension Permis is completely decoupled from IAIK library (The Institute for Applied Information Processing and Communications library). A Permis integrator is now able to use the Java JCE mechanism for cryptography, in order to use his own security provider.
Security Review Core, editor and integrations are completely separated modules which makes it easy to review the permis core.
Secure Auditing of PDP Decisions The PDP provides an interface for audit loggers to record all access decisions. The interface includes a "Veto-Right" for loggers to refuse a decision of the PDP.

Build System

Name Description Kent VBS
Modular Design Separate modules for core, editor ... (with clear dependencies).
Documented 3 Party Libraries All used libraries are documented, version and license are clear.
HTML Project Documentation System contains generated HTML documentation including JavaDoc and all audit reports.
Stand-Alone Examples Simple stand-alone examples to start with.

Quality Management

Name Description Kent VBS
Automatic Continuous Integration The whole code basis is compiled hourly including running all unit test and code audit tools. The result is outlined on a web page.
Unit Tests All source code is covered by unit tests.
Integration Tests Testing of different interactions between systems.
Checkstyle Is a code audit tool that check the code style of java code.
PMD Is a code audit tool that check the source code for possible bugs, dead code, suboptimal code, and duplicated code.
FindBugs Is a code audit tool that check the source code for possible bugs.
Checkspace Is a code audit tool that check the source code for redundant spaces.

Integrations

Name Description Kent VBS
XACML Support PDP and editor works with the XACML access control policy language.
SAML ADF Stand alone server that will accept incoming SAML authorization decision requests and will respond with SAML authorization decision responses.
Shibboleth An Apache module that uses Permis to control access to websites that use either Apache or Shibboleth to provide user authentication.
WSDL Web Serivce Description Language Editor can import actions and resources from a WSDL file.
Apache Web Server
GT4 Permis Authorization Service Authorization service that can be deployed with the Globus Toolkit from version 4.
Coordinated GT4 A coordinated authorization service that can be deployed with Globus Toolkit version 4.1.x.
.NET .NET interface for Simple Permis.
Python Python interface for Simple Permis.
OWL Web Ontology Language