Download - Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle
![Page 1: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/1.jpg)
Fine-grained Access Control for Spatial Services
...enforcing the Need-to-Know PrincipleRüdiger Gartmann
con terra GmbH, Münster, Germany
![Page 2: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/2.jpg)
© con terra GmbH2
Actors:
Public Safety Scenario: Planning an Event
![Page 3: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/3.jpg)
© con terra GmbH3
User Groups
X
![Page 4: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/4.jpg)
© con terra GmbH4
Planning team> Event preparation> Plan roadblocks, routes, evacuation
scenarios, personnel...> Assign areas for police, firefighters,
paramedics, ...Control team> Event monitoring> Measuring of movements, reaction to
incidents and emergencies, revision of plans, ...
> Management of emergency response teams> Observation of surveillance cameras,
location of suspects, ...
Access to All Information
![Page 5: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/5.jpg)
© con terra GmbH5
Access to Limited Information
Technical preparation> Create roadblocks, traffic control
systems, barriers, ...> Seal gully holes, check security
measures, ...Emergency response teams> Situation assessments> Taking orders> Status reports> Finding places of accident> Guidance, evacuation, protection...
![Page 6: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/6.jpg)
© con terra GmbH6
Access to Public Information
Tourists> Plan their trips> See what‘s going on> Find friends> Post information, photos, ...> Get event notifications
Threats> Only access to public information
![Page 7: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/7.jpg)
© con terra GmbH7
Regardless of the security classification, access is only permitted if there is an actual need
Planning team is allowed to see evacuation routes...Control team is allowed to use surveillance cameras...Poliecemen are allowed to report incidents...Paramedics are allowed to request ambulances...> ...but only for the very event they are actually dealing with!
Security Levels vs. Need-To-Know
![Page 8: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/8.jpg)
© con terra GmbH8
Class 1 Class 2 Class 3 Class 4Event AEvent BEvent CEvent D
Authorisation Decision
Information is classifiedInformation is assigned to certain tasksUsers are classifiedUsers are assigned to certain roles (responsible for certain tasks)Access is granted, only if> classification level matches and> task/role assignment matches
![Page 9: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/9.jpg)
based on security.manager
Access Control to Spatial Content
![Page 10: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/10.jpg)
© con terra GmbH10
Policy structure
Creating Policies
Subject Resource Action ObligationSubject Resource Action ObligationPlanning Team
Evacuation Routes
* Area of Interest, Classification = green
Subject Resource Action ObligationPlanning Team
Places to inspect
* Area of Interest, Classification = green
Policemen Places to inspect
Check Area of Duty, Classification = yellow
System is deny-biased> Everyone without explicit permissions is denied
![Page 11: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/11.jpg)
© con terra GmbH11
Example: Places to Inspect
![Page 12: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/12.jpg)
Required Authorisation Capabilities
![Page 13: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/13.jpg)
© con terra GmbH13
Authorisation of Services
Full set
Authorize services in securityManager
Restricted
![Page 14: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/14.jpg)
© con terra GmbH14
Layer Authorisation
All layers
Restricted listof layers
Define rights
![Page 15: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/15.jpg)
© con terra GmbH15
Feature Authorization
All features Filtered to features classified as yellow
Classification = yellow
![Page 16: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/16.jpg)
© con terra GmbH16
Authorise Functionalities
Identify result
Assign permissions for operations in securityManager
Identify not authorized
![Page 17: Fine-grained Access Control for Spatial Services ...e nforcing the Need-to-Know Principle](https://reader034.vdocuments.site/reader034/viewer/2022051402/56815dc0550346895dcbea05/html5/thumbnails/17.jpg)
© con terra GmbH17
Spatial restrictionsin securityManager
Spatial Restrictions
Full extent
Spatial restriction for Germany