The following tables show current differences between this OpenPermis version and
the KentPERMIS version from University of Kent.
Name |
Description |
KentPERMIS |
OpenPermis |
File AC Repository |
An attribute certificate repository that read AC's from the local file system. |
|
|
LDAP AC Repository |
An attribute certificate repository that read AC's from a LDAP directory. |
|
|
WebDav AC Repository |
An attribute certificate repository that read AC's from a WebDav directory. |
|
|
Virtual AC Repository |
An attribute certificate repository that read AC's from different directories. |
|
|
Managed Permis |
A policy of a running PDP can be reloaded without restarting the PDP. |
|
|
Certificate Chain Verification |
Certificate chains with size greater than one are supported. |
|
|
PDP Setup |
PDP setup is simplified and a builder for a new PDP is provided. More than one PDP could
run on the same Java VM. (No static singleton configuration) |
|
|
Roles (RBAC 0) |
Role based access control. |
|
|
Role Hierarchies (RBAC 1) |
Hierarchical Role Based Access Control. A superior role gets all privileges of a
subordinate role. |
|
|
Target Access Rules |
A target access rule defines a set of roles that are allowed to access a target. |
|
|
Conditions for Target Access Rules |
Conditions are additional constraints that must be true for a target access rule. E. g.
access is only granted between 9am and 11am. |
|
|
Role Assignment Rules |
A role assignment rule defines which subjects are allowed to assign which roles, and if
a subject may delegate an assigned role. |
|
|
Obligations |
An obligation is an operation specified in a policy that should be performed by the PEP
Policy Enforcement Point in conjunction with the enforcement of an authorization decision.
|
|
|
Static Separation of Duties (SoD) |
Define mutually exclusive roles. |
|
|
Dynamic Separation of Duties (DSoD) |
Define mutually exclusive roles in the context of a dynamic session.
(KentPERMIS provides a simple in-memory implementation)
|
|
|
Name |
Description |
KentPERMIS |
OpenPermis |
Sign or Verify a Policy |
Creates an attribute certificate containing the actual policy or verify a signed policy.
|
|
|
Publish a Policy |
Publish a signed policy. E. g. in an LDAP directory. |
|
|
Create Role AC |
Create attribute certificates containing user role assignments.
(KentPERMIS has the ACM Attribute Certificate Manager Editor). |
|
|
Connect to an LDAP directory |
Connect the editor to an LDAP directory for selecting resources. |
|
|
Connect to an WebDAV directory |
Connect the editor to an WebDAV. directory for selecting resources. |
|
|
Plugin Support |
Support to write plugins for the editor, e.g. to allow other sources
than LDAP and/or WebDAV. |
|
|
Customizable Editor |
Enable/disable features in the editor for production use or provide custom
implementations for policy components. |
|
|
Problem View |
The editor provides a central problem overview, containing a list of all structural and
logical problems of the current policy. |
|
|
Human Readable Policy |
The editor provides a human readable description of the policy parts currently edited.
Includes also warnings about structural problems. This view can also show the current
XML file.
|
|
|
Version Tagging of Policies |
Policies are under version control and the history of changes is saved. |
|
|
Comments for Policy Elements |
The user can write comments for policy elements and save them persistent. |
|
|
Tutorial / Help |
A help and a tutorial are available in the editor. |
|
|
Policy Wizard |
A simple wizard which helps a user to create a first initial policy. |
|
|
Integration Projects |
Several integration project (listed below) can be configured in the editor. |
|
|
Resources, Actions, Targets |
Edit simple concepts. |
|
|
Roles |
Edit roles and and role hierarchies. |
|
|
Target Access Rules |
Edit a target access rule, which defines a set of roles that are allowed to access a
target.
|
|
|
Conditions for Target Access Rules |
Edit constraints for target access rules. |
|
|
Role Assignment Rules |
Edit a role assignment rule, which defines which subjects are allowed to assign which
roles, and if delegation of role assignment is allowed. |
|
|
Obligations |
Edit an obligation, which must be enforced by the PEP. |
|
|
Static Separation of Duties (SoD) |
Edit mutually exclusive roles. |
|
|
Dynamic Separation of Duties (DSoD) |
Edit mutually exclusive roles in the context of a dynamic session. |
|
|
Name |
Description |
KentPERMIS |
OpenPermis |
Automatic Continuous Integration |
The whole code basis is compiled hourly including running all unit test and code audit
tools. The result is outlined on a web page.
|
|
|
Unit Tests |
All source code is covered by unit tests. |
|
|
Integration Tests |
Testing of different interactions between systems. |
|
|
Checkstyle |
Is a code audit tool that check the code style of java code. |
|
|
PMD |
Is a code audit tool that check the source code for possible bugs, dead code, suboptimal
code, and duplicated code.
|
|
|
FindBugs |
Is a code audit tool that check the source code for possible bugs. |
|
|
Checkspace |
Is a code audit tool that check the source code for redundant spaces. |
|
|
Name |
Description |
KentPERMIS |
OpenPermis |
XACML Request/Response Support |
PDP provides an interface for XACML requests and responses.
|
|
|
SAML ADF |
Stand alone server that will accept incoming SAML authorization decision requests and
will respond with SAML authorization decision responses. |
|
|
Shibboleth |
An Apache module that uses Permis to control access to websites that use either Apache
or Shibboleth to provide user authentication.
|
|
|
WSDL Web Serivce Description Language |
Editor can import actions from a WSDL file. |
|
|
Apache Web Server |
|
|
|
GT4 Permis Authorization Service |
Authorization service that can be deployed with the Globus Toolkit from version 4. |
|
|
Coordinated GT4 |
A coordinated authorization service that can be deployed with Globus Toolkit version
4.1.x.
|
|
|
.NET |
.NET interface for Simple Permis. |
|
|
Python |
Python interface for Simple Permis. |
|
|
OWL Web Ontology Language |
|
|
|
Pluggable Keystore Formats |
Support for various keystore formats like e.g. SmartCard or PKCS12 files for the
creation of AC files. |
|
|