Title |
Secure Role-Based Access Control for RHIC Complex |
Authors |
- A. Sukhanov, J. Morris
BNL, Upton, New York, USA
|
Abstract |
This paper describes the requirements, design, and implementation of Role-Based Access Control (RBAC) for RHIC Complex. The system is being designed to protect from accidental, unauthorized access to equipment of the RHIC Complex, but it also can provide significant protection against malicious attacks. The role assignment is dynamic. Roles are primarily based on user id but elevated roles may be assigned for limited periods of time. Protection at the device manager level may be provided for an entire server or for individual device parameters. A prototype version of the system has been deployed at RHIC complex since 2022. The authentication is performed on a dedicated device manager, which generates an encrypted token, based on user ID, expiration time, and role level. Device managers are equipped with an authorization mechanism, which supports three methods of authorization: Static, Local and Centralized. Transactions with token manager take place ’atomically’, during secured set() or get() requests. The system has small overhead: ~0.5 ms for token processing and ~1.5 ms for network round trip. Only python based device managers are participating in the prototype system. Testing has begun with C++ device managers, including those that run on VxWorks platforms. For easy transition, dedicated intermediate shield managers can be deployed to protect access to device managers which do not directly support authorization.
|
Funding |
Work supported by Brookhaven Science Associates, LLC under Contract No. DE-SC0012704 with the U.S. Department of Energy. |
Paper |
download TH2AO05.PDF [0.571 MB / 5 pages] |
Cite |
download ※ BibTeX
※ LaTeX
※ Text/Word
※ RIS
※ EndNote |
Conference |
ICALEPCS2023 |
Series |
International Conference on Accelerator and Large Experimental Physics Control Systems (19th) |
Location |
Cape Town, South Africa |
Date |
09-13 October 2023 |
Publisher |
JACoW Publishing, Geneva, Switzerland |
Editorial Board |
Volker RW Schaa (GSI, Darmstadt, Germany); Andy Götz (ESRF, Grenoble, France); Johan Venter (SARAO, Cape Town, South Africa); Karen White (SNS, Oak Ridge, TN, USA); Marie Robichon (ESRF, Grenoble, France); Vivienne Rowland (SARAO, Cape Town, South Africa) |
Online ISBN |
978-3-95450-238-7 |
Online ISSN |
2226-0358 |
Received |
04 October 2023 |
Revised |
14 November 2023 |
Accepted |
19 December 2023 |
Issued/td>
| 22 December 2023 |
DOI |
doi:10.18429/JACoW-ICALEPCS2023-TH2AO05 |
Pages |
1150-1154 |
Copyright |
Published by JACoW Publishing under the terms of the Creative Commons Attribution 4.0 International license. Any further distribution of this work must maintain attribution to the author(s), the published article's title, publisher, and DOI. |
|