Authorization Field

Concepts and Security Model

In SAP Security Configuration and Deployment, 2009

Authorization Groups

An authorization group can be defined as an authorization field to protect tables and programs. For example, you can protect tables with table authorization groups by defining authorization groups in table TBRG and assigning the relevant authorization group to the tables you want to protect in table TDDAT for table authorization group. An authorization group can be assigned to one or more tables. A table can only be assigned to one specific authorization group. Alternatively, you can use transaction SE11 under Utilities | Table Maintenance Generator to maintain the table authorization group assignment for individual tables. With this security mechanism, you can prevent users from accessing the tables using transactions such as SE16 (Display Table) or SM30 (Table Maintenance). To access the protected table, the user requires authorization to both the authorization group defined in table TDDAT and the authorization object S_TABU_DIS with authorization field DICBERCLS containing that authorization group. This is particularly useful when you want to protect customized tables. Standard SAP tables are generally protected; however, you can manually change the authorization group assignment if required.

Similarly you can define program authorization group in table TPGP and assign the relevant authorization group to the programs you want to protect in table TPGPT. An authorization group can be assigned to one or more programs. A program can only be assigned to one specific authorization group. Alternatively, you can assign the program authorization group in the program attribute using SE38. This prevents users from accessing the program using transactions such as SE38 and SA38 (Execute Program). To access the protected program, the user requires authorization to authorization object S_PROGRAM with authorization field P_GROUP containing that authorization group.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492843000028

ABAP

In SAP Security Configuration and Deployment, 2009

Definition of a Profile

Although we use the profile generator (PFCG) to create a role, as its name implies the PFCG generates a profile. The profile is created from the authorization objects and authorization field values entered into the role. The concept of a profile is a holdover from pre-PFCG days when the security administrator had to manually create the authorizations, but in order to be able to assign those authorizations to a user ID, he/she had to collect them in a profile that could then be assigned to a user ID. The profile is still used as a collection of authorizations, but is now generated by the profile generator tool and associated with the role. When the role is assigned to a user ID, the SAP system looks up the profile and automatically assigns the associated profile.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749284300003X

Hypertext Transfer Protocol

Walter Goralski , in The Illustrated Network (Second Edition), 2017

URLs

RFC 1738, also not updated, defined a URL format for use on the Web (although the RFC just says "Internet"). Newer URI rules all respect conventions that have grown up around URLs over the years. URLs are a subset of URIs, and like URIs, consist of two parts: a method used to access the resource, and the location of the resource itself. Together, the parts of the URL provide a way for users to access files, objects, programs, audio, video, and much more on the Web.

The method is labeled by a scheme, and usually refers to a TCP/IP application or protocol, such as http or ftp. Schemes can include plus signs (+), periods (.), or hyphens (-), but in practice they contain only letters. Methods are case insensitive, so HTTP is the same as http (but by convention they are expressed in lowercase letters).

The locator part of the URL follows the scheme and is separated from it by a colon and two forward slashes (://). The format or the locator depends on the type of scheme, and if one part of the locator is left out, default values come into play. The scheme-specific information is parsed by the received host based on the actual scheme (method) used in the URL.

Theoretically, each scheme uses an independently defined locator. In practice, because URLs use TCP/IP and Internet conventions many of the schemes share a common syntax. For example, both http and ftp schemes use the DNS name or IP address to identify the target host and expect to find the resource in a hierarchical directory file structure.

The most general form of URL for the Web is shown in Figure 26.6. There is very little difference between this format and the general format of a URI, and some of these differences are mentioned in the material that follows the figure.

Figure 26.6. The fields of a complete URL, showing that the default values used in the fields are absent.

The format changes a bit with method, so an FTP URL has only a type=<typecode> field as the single <params> field following the <url-path>. For example, a type code of d is used to request an FTP directory listing. The figure shows the general field for the http method.

<scheme>—The method used to access the resource. The default method for a Web browser is http.

<user> and <password>—In a URI, this is the authorization field (also called "authority"). A URL's authorization consists of a user ID and password separated by a colon (:). Many private Web sites require user authorization, and if not provided in the URL the user is prompted for this information. When absent, the user defaults to publicly available resource access.

<host>—Called the networkpath in a URI, the host is specified in a URL by DNS name or IP address (IPv6 works fine for servers using that address form).

<port>—This is the TCP or UDP port that together with the host information specifies the socket where the method appropriate to the scheme is found. For http, the default port is 80.

<url-path>—The URI specification calls this the absolutepath. In a URL, this is usually the directory path starting from the default directory to where the resource is to be found. If this field is absent, the Web site has a default directory into which the user is placed. The forward slash (/) before the path is not technically part of the path, but forms the delimiter and must follow the port. If the url-path ends in another slash, this means a directory and not a "file" (but most Web sites figure out whether the path ends at a file or directory on their own). A double dot (..) moves the user up one level from the default directory.

<params>—These parameters control how the method is used on the resource and are scheme specific. Each parameter has the form <parameter>=<value> and the parameters are separated by semicolons (;). If there are no parameters, the default action for the resource is taken.

<query>—This URL field contains information used by the server to form the response. Whereas parameters are scheme specific, query information is resource specific.

<fragment>—The field is used to indicate which particular part of the resource the user is interested in. By default, the user is presented with the start of the entire resource.

Most of the time, a simple URL, such as ftp://ftp.example.com, works just fine for users. But let's look at a couple of examples of fairly complex URLs to illustrate the use of these fields.

http://myself:[email protected]:32888/mymail/ShowLetter?MsgID-5551212#1

The user myself, authenticated with mypassword, is accessing the mail.example.com server at TCP port 32888, going to the directory /mymail, and running the ShowLetter program. The letter is identified to the program as MsgID-5551212, and the first part of the message is requested (this form is typically used for a multipart MIME message).

www.examplephotos.org:8080/cgi-bin/pix.php?WeddingPM#Reception19

The user is going to a publicly accessible part of the site called www.examplephotos.org, which is running on TCP port 8080 (a popular alternative or addition to port 80). The resource is the PHP program pix.php in the cgi-bin directory below the default directory, and the URL asks for a particular page of photographs to be accessed (WeddingPM) and for a particular photograph (Reception19) to be presented.

www.sample.com/who%20are%20you%3F

File names that have embedded spaces and special characters that are the same as URL delimiters can be a problem. This URL accesses a file named who are you? in the default directory at the www.sample.com site. There are 21 "unsafe" URL characters that can be represented this way.

There are many other URL "rules" (as for Windows files), and quite a few tricks. For example, if we wanted to make a Web page at www.loserexample.com (IP address 192.168.1.1) appear as if it is located at www.nobelprizewinners.org, we can translate the Web site's IP address to decimal (192.168.1.1 = 0xC0A80101 = 3232235777 decimal), add some "bogus" authentication information in front of it (which will be ignored by the Web site), and hope that no one remembers the URL formatting rules:

http://[email protected]

A lot of evil hackers use this trick to make people think they are pointing and clicking at a link to their bank's Web site when they are really about to enter their account information into the hacker's server! Well, if that's what a URL is for, why is a URN needed?

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128110270000266

Access control in the Internet of Things: Big challenges and new opportunities

Aafaf Ouaddah , ... Abdellah Ait Ouahman , in Computer Networks, 2017

2.1 OM-AM authorization reference model

2.1.1 Motivation

Authorization involves the following phases: defining a security policy (set of rules), selecting an access control model to encapsulate the defined policy, implementing the model and enforcing the access rules. Each phase requires specific tools to be deployed. We cite as example: Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) method [19] that can be used as a basis to derive the security policy, the RBAC model [20] to define an access control model, Extensible Access Control Markup Language (XACML) standard [21] to propose an architecture and language to implement security policy rules, and Oauth2.0 framework [22] which includes the authentication phase but proposes also an architecture (including entities and workflow) to implement the authorization function. Unfortunately, we notice a big confusion between those tools in the literature and even in the terms used in authorization field. As a result, we find an illegitimate comparison between some of the above tools and their fitness to IoT environment. That is due to the lack of a normalization of the terms used in authorization process in the literature. To fill this gap and avoid any confusion, we find that it is a worthwhile idea to propose a reference model as normalization to authorization process. By analogy to OSI (Open Systems Interconnection) 7 layers network protocol stack, we opt for the four layer OM-AM framework coined in [23], or more informally the OM-AM way, to analyze the authorization process. OM-AM stands for Objective, Model, Architecture, and Mechanism. The objective and model (OM) layers articulate what the security objectives are and what should be achieved, while the architecture and mechanism (AM) layers address how to meet those requirements. Like OSI 7 layers, each OM-AM framework layers mapping to adjacent layers is many-to-many. In other words, security policy can be formalized with many access control models as they can support different security policies. Moreover an access control model can be supported by multiple architectures, while a specific architecture can support multiple models, and do not necessarily comply with the top-down waterfall-style software engineering process.

2.1.2 Concept and terminology: the OM-AMs four layers defined and functions explained

The OM-AM model has four layers that are stacked this way starting from the high-level specification till low-level enforcement mechanisms and implementation as explained below and depicted in Table 1.

Table 1. OM-AM Framework for authorization process.

Objective security policy, risk assessment octave, EBIOS methods, ISO/EIC 27002/27005 standards etc)
Model Authorization model (e.g. RBAC, ABAC, UCON)
Architecture Frameworks, protocols (XACML, OAuth, UMA)
Mechanisms Hardware and software tools: (ACLs, Routers, Encryption, Audit logs, IDS, Antivirus software, Firewalls, Smart cards, Dial-up call-back systems, Alarms and alerts etc)

Objectives: this layer serves as a referential background that all security and access control actions and measurements are based on. The main function of this layer consists in defining an access control policy that defines the (high-level) rules according to which access control must be regulated. This layer contains a variety of commonly needed functions: expression of needs by conducting a circumstantial study of the system to be secured and its environment, drawing the perimeter and the scope to be targeted, conducting a Risk Assessment and identification of Security objectives etc. A whole arsenal of methodologies, methods and tools are used in this layer like: Risk Assessment Methods, ISO/IEC 27002 and 27005. OTACE EBIOS, MAHARI, CRAMM, OWASP among others.

Authorization model: after defining the security requirement, objectives and scopes to be secured in the system, one of the major difficulties lies in the interpretation of, often complex and sometimes ambiguous, real world security policies and in their translation in well-defined and unambiguous rules enforceable by a computer system. Here, where the role of Authorization model layer comes to bridge the gap between high-level policies and low-level mechanisms by defining means of how authorization rules should be applied to protect resources. Actually, an Authorization model is a formalism (often mathematical) for representing in a clear and unambiguous way the security policy. It helps to abstract it (i.e. reduce its complexity) and to facilitate its understanding. It can be used to verify that the policy is complete and consistent. Popular authorization models include Discretionary model DAC, Mandatory model MAC, RBAC and its extensions, Attribute-Based Access Control (ABAC) model [24], OrBAC model [25] and Usage Control (UCON) presented by [26–28] among many others. Such models are defined mostly in terms of subjects and objects and possible interactions between them but there are also other models that are based on different parameter like: trust, privacy, knowledge, and context. A model can also be hybrid and include more than one model in order to tackle the more heterogeneous needs of an organization. Only after the access control model is chosen can the right technology and both authentication and access control mechanisms be selected and implemented.

Architecture: this layer describes the entities, the workflow and interactions between them (centralized or decentralized). Given this set of entities, several authorization sequences can be defined for example: Push, Pull or Agent sequence [29]. The most popular authorization architecture is published by an ISO standard for the access control framework ISO/IEC 10181-3 [30] that defines the main features of the reference monitor. According to that standard, a reference monitor consists of two basic components: an access enforcement facility (AEF) or a policy enforcement point (PEP) and an access decision facility (ADF) or a policy decision point (PDP). Every request made by a subject is intercepted by the AEF/PEP and then forwarded to the ADF/PDP for an access decision evaluation. The ADF/PDP may reply either yes/grant or no/deny depending on the security policy, while the AEF/PEP enforces this decision appropriately. Tools in this layer could be in form of protocols or framework such as Oauth protocol and XACML standard.

Mechanisms: it defines the low level (hardware and software) functions to enforce policies and define how access requests are evaluated against those policies. Actually, configuring access control policies is a non-trivial and highly critical process, and it should be subject to periodic review and verification to ensure that security policies are correctly expressed and implemented [31]. Proposed verification methods include formally testable policy specification [32], detection of anomalies or connecting rules via segmentation technique [33], and analysis tools that enable policy administrators to evaluate policy interpretations [34]. A plethora of tools belongs to this layer such as: ACLs, Routers, Encryption, Audit logs, IDS, Antivirus software, Firewalls, Smart cards, Dial-up call-back systems, alarms and alerts among others.

In this way, the OM-AM framework allows us to:

Define in a perspicuous way the boundaries as well as the relationship between each phase in the authorization process, since each phase matches a specific layer.

Discuss each phase independently from the other. As an example, discuss the security requirements separately from the mechanism required for its implementation.

Compare in a vertical way different access control policies that encapsulate the same security policy or different architectures that implement the same access control model and different mechanisms that enforce the access control architecture.

Compare in a horizontal way within one layer for example between different access control

models/mechanisms.

Design each layer separately: for example, design mechanisms that are able to enforce multiple policies [35]. This latter aspect is particularly crucial since it will give great flexibility and scalability to the whole access control system. In fact, if a tool in one layer is tied to a specific component in another layer, changing in the policy would require changing the whole access control system.

Hence, thanks to our proposed OM-AM reference model, we believe that making a comparison or conflict between so called traditional access control models like RBAC and emergent access control technologies or standards like XACML, OAuth or UMA, or claiming that they are no more useful is a false idea. Actually, we can have a great collaboration and coordination between those different tools. Each tool plays its specific role within its specific layers working in a complementary way with each other, to satisfy different use cases. The work proposed in [36] using XACML in conjunction with OAuth 2.0 for scope definitions could be considered as a possible proof of concept of this idea.

In the following sections we discuss and overview the proposed solutions for IoT in the literature for each layer separately.

Read full article

URL:

https://www.sciencedirect.com/science/article/pii/S1389128616303735