CERN Accelerating science

Report number ATL-DAQ-PROC-2011-005
Title Role Based Access Control system in the ATLAS experiment
Author(s) Valsan, M L (Bucharest, Polytechnic Inst.) ; Dobson, M (CERN) ; Lehmann Miotto, G (CERN) ; Scannicchio, D A (UC, Irvine) ; Schlenker, S (CERN) ; Filimonov, V (St. Petersburg, INP) ; Khomoutnikov, V (St. Petersburg, INP) ; Dumitru, I (Bucharest, Polytechnic Inst.) ; Zaytsev, A S (Novosibirsk, IYF) ; Korol, A A (Novosibirsk, IYF) ; Bogdantchikov, A (Novosibirsk, IYF) ; Caramarcu, C (Bucharest, IFIN-HH) ; Ballestrero, S (Johannesburg U.) ; Darlea, G L (Bucharest, Polytechnic Inst.) ; Twomey, M (Washington U.) ; Bujor, F (Bucharest, Polytechnic Inst.) ; Avolio, G (Cern)
Corporate Author(s) The ATLAS collaboration
Publication 2011
Imprint 14 Jan 2011
Number of pages 6
In: Conference on Computing in High Energy and Nuclear Physics 2010, Taipei, Taiwan, 18 - 22 Oct 2010
Subject category Detectors and Experimental Techniques
Accelerator/Facility, Experiment CERN LHC ; ATLAS
Free keywords role based access control ; roles ; security policy ; authorization ; access manager ; LDAP ; access management
Abstract The complexity of the ATLAS experiment motivated the deployment of an integrated Access Control System in order to guarantee safe and optimal access for a large number of users to the various software and hardware resources. Such an integrated system was foreseen since the design of the infrastructure and is now central to the operations model. In order to cope with the ever growing needs of restricting access to all resources used within the experiment, the Roles Based Access Control (RBAC) previously developed has been extended and improved. The paper starts with a short presentation of the RBAC design, implementation and the changes made to the system to allow the management and usage of roles to control access to the vast and diverse set of resources. The paper continues with a detailed description of the integration across all areas of the system: local Linux and Windows nodes in the ATLAS Control Network (ATCN), the Linux application gateways offering remote access inside ATCN, the Windows Terminal Servers offering remote access to the Detector Control System (DCS) and to Windows machines inside ATCN, the PVSS SCADA software, the distributed file system, the central network attached file system. The RBAC implementation uses a directory service based on Lightweight Directory Access Protocol to store the users ( 3000), roles ( 320), groups ( 80) and access policies. The information is kept in sync with various other databas es and directory services: human resources, central CERN IT, CERN Active Directory and the Access Control Database used by DCS.
Copyright/License Preprint: (License: CC-BY-4.0)

Corresponding record in: Inspire

 Record created 2011-01-14, last modified 2018-05-29