Overview of Role-based Access Control project for 2009 Geospatial SOA and Cloud Computing Workshop

1. Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0

5. Service Providers Service Consumers Geospatial SOA … Regulatory … Infrastructure … other needs Access Processing Discovery Collaboration Security

9. Geospatial SOA Access Security Project Design Outreach & Collaboration Scenarios & Business Processes Develop DT&E Lab Document Best Practices Services DT&E Lab

10. SDI Access Control Service NSDI Data Access Service and SDI Access Control Service WFS WMS SACS Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response Access Control WFS Request

11. Virtual SACS Other Client SDI Access Control Service NSDI Data Access Service and SDI Access Control Service Other NSDI Service with Virtual SACS WFS WMS SAC WFS WMS SAC Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response WFS Request & Response WFS Request Access Control Federation Fine-grained A ccess C ontr ol Rules : SDI Client : Feature Constraints Geographic Constraints Role-based Contstraints Operations Constaints Access Control

12. So what does that mean?

14. Geographic Access Control

15. Geographic Access Control

16. Geographic Access Control Jeff

17. Geographic Access Control Jeff

18. Geographic Access Control Jeff

19. Geographic Access Control Jeff

20. Geographic Access Control Jeff

21. Geographic Access Control

22. Geographic Access Control

23. Geographic Access Control

24. EOC Users – Access by Role, Geography, Feature, Operations Public Users – May be limited by Role, Geography, Feature, Operations

25. Access Control Rules for Cloud-based Services Established by Service Providers

26. Free Secure SDI client available at www.thecarbonportal.net Feature Level Security Jeff

27. Feature Level Security Jeff

28. Feature Level Security Keith

29. Feature Level Security Keith

30. By OGC Operation

31. By OGC Operation

32. By OGC Operation

33. By OGC Operation

34. Free Secure SDI client available at www.thecarbonportal.net By OGC Operation

35. Established by Service Providers Access Control Rules for Cloud-based Services

36. NSDI WFS in DT&E Lab

38. The following takes place between 10 AM and 10:15 AM… … events happen in real time. Canada US

39. Keith and Brenda are on the staff of the Commission Keith Brenda Roles

40. The commission just sent us a package by email Keith Brenda 10:00 AM

41. OK, let me zoom & connect to the Cross-Border SDI Network 10:00 AM

42. Got it, lets connect to the Cross-Border SDI Network 10:01 AM

43. Oops, forget to log-in… 10:01 AM

44. No problem, I got it, logging in now… Me too, with my account… 10:02 AM

45. OK, let me zoom & connect to the Cross-Border SDI 10:03 AM

46. Got it, Montana done… Just got a note, they want gas storage, comm towers in report 10:04 AM

47. Accessing NRCAN WFS with the single-sign on 10:04 AM

48. Canada done 10:04 AM

49. Got it, accessed Montana and NRCAN WFS, done They say add schools to report 10:05 AM

50. Done… 10:09 AM

51. NRCan Service* Montana Service* NSDI Data Services CGDI Services SACS with Single Sign-On* Geospatial SOA

53. Demos illustrate role-based access to USACE regulatory data, using four different scenarios, four roles and four demo users – one Cloud-based Service. Each user belongs to one role – Public : ‘Public’ California : ‘Paul’ EPA Region II : ‘John’ USFWS Region IV : ‘George’ (the password for each user is the same as the username) Each role's access rules demonstrates a different spatial & non-spatial filter (details for each scenario appear in the bottom panel). USACE Regulatory Demos

54. USACE Public Scenario

55. USACE - California Scenario

56. USACE-EPA Region II Scenario

57. USFWS Region IV Scenario

58. USACE - California Rules

59. USACE - California Rules

60. USACE - California Rules

61. Questions on Demos?

62. Before – Many Roles, Many Services Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS

63. Datastore HTTPS SACS WFS WMS SDI Access Control Rules After – Many Roles, One Service

64. USACE Data Provider Portal Provider Security Manager NSDI Data Provider USACE End User NSDI End User (Public) Manage Users Manage Roles Manage Credentials Manage Groups Manage SDI Access Control Rules Authorize Users Access by Feature Access by Role Deploy Data Access by Geography Update by Feature Update by Role Update by Operation Type Access by Operation Type Use Cases… NSDI End User (Govt)

66. User Relying Party Identity Provider Relying Party Identity Provider Security Token Service WS-SecurityPolicy Security Token Service WS-SecurityPolicy Identity Selector SDI Access Control Rules (SACR) Framework… WS-Trust, WS-MetadataExchange Kerberos SAML SACS X.509

69. Questions?

70. Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0