Re: Plans with RSBAC


From: Stewart Robert Hinsley <stewart@meden.demon.co.uk>
Subject: Re: Plans with RSBAC
Date: Mon, 18 Oct 1999 19:48:04 +0100

Next Article (by Author): Re: Plans with RSBAC Vadim Kogan
Previous Article (by Author): Re: Speed of rsbac ? Stewart Robert Hinsley
Top of Thread: Plans with RSBAC ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


In article <Pine.LNX.3.91.991017204120.4867F-100000@gargoyle>, "Paul D.
Robertson" <proberts@clark.net> writes
>
>Secondly- I'm still working with some ideas on what I like to think of as 
>"two man missile key" control, where it takes two people to launch a 
>given capability or role.  Ideally, that would include some mechanism to 
>"half-grant" a role, MAC or privilige to a user, with the other 
>(preferably configurable in number, but two works for me initially) 
>grantor assigning the other half of the role.  This would essentially 
>mean a mechanism where security officer would be split into multiple 
>pieces, so that the role of granting roles wouldn't be tied to a specific 
>person.  For instance, if you had a security officer s2-1 and a second 
>security officer s2-2, s2-2 could half-grant access to the system, or to 
>a MAC to user "newbie."  Then S2-1 would have to half-grant the same 
>access to newbie for newbie to be able to {assume a role, access 
>information at a MAC...}  Ideally, it would, after initial configuration 
>take both administrator keys to add a new administrator to the mix.  
>Possible "2 of 3" would be a better rule, so that there could be an ID in 
>the safe with credentials should S2-1 leave...
>
>(Hmmm, I'm not sure that makes sense to anyone but me, questions welcomed)
>
>Thanks,
>
>Paul
I think that the concepts described in

        http://www.patents.ibm.com/details?pn=US05283830__&language=en 

would meet this requirement. We did have dual key as a tick list item,
and I think (this was the best part of ten years ago) that this was our
response to that tick list item.
-- 
Stewart Robert Hinsley
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: Plans with RSBAC Vadim Kogan
Previous Article (by Author): Re: Speed of rsbac ? Stewart Robert Hinsley
Top of Thread: Plans with RSBAC ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.