Best Practices address key NSDI topic - "Role-based Access Control"

New Best Practices envisions agencies moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud – leveraging shared Government Service Units

A set of Best Practices for one of the most important, but least understood, areas of Geospatial SOA – Role-based Access Control has just 'hit the street'. Development was coordinated between NSDI 2008 CAP Category 2 recipients and is designed to satisfy multi-agency requirements through modeling of business processes and related geospatial service components. As discussed in the report - these Best Practices will help the NSDI shed rigid, inward-looking approaches and transform into a more agile, responsive and customer-centric framework driven by collaborative partnerships.

This effort is important because Geospatial SOA based on OGC and other standards are strongly influencing development of the Federal Enterprise Architecture (FEA) Geospatial Profile, especially data access and update. These efforts have matured to a point where broad acceptance is now dependent on the capacity to secure data resources. In fact, organizations that are considering participation in the NSDI must also consider how they can establish distributed security frameworks for role-based access control to SOA resources. These requirements will continue to increase as data access transitions into data management with services like GeoSynchronization and Web Feature Server- Transactional (WFS-T) where loosely affiliated parties collaborate on maintenance of shared geospatial data resources.

Specifically, the lack of adequate Access Control solutions have contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based Spatial Data Infrastructure (SDI) services on standalone servers or cloud computing platforms.

To meet this challenge, this project defined and documented Best Practices in Geospatial SOA for Role-based Access Control - leveraging CubeWerx, The Carbon Project and OGC investments in developing solutions to solve this security challenge. The capability was deployed as part of a distributed SOA laboratory for Services Development, Test, and Evaluation (DT&E) designed to drive out Best Practices. Rather than dictating policies, the goal was to support policies already available in most organizations and provide components for supporting SDI Access Control Rules (SACR). These components were invoked in open geospatial web services, allowing simulation of trusted organizations in a federation, reuse of existing authentication methods and definition of new access control rules. Scenarios ranging from a hurricane response along the Gulf coast, cross-border information sharing, and regulatory permitting were executed and common Use Cases derived.

The resulting Access Control Rules were defined in an XML Schema using an XML file that can be dynamically parsed by OGC-compliant Web services. With this approach Authentication services can provide access control on a user-by-user basis. For example, several rules can be specified in an document, where each rule can apply to a different set of usernames, groups and/or roles.

The approach modeled in this project is compatible with IT industry-wide efforts working on “Identity Metasystems”, OASIS security standards for Information Cards, and the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In particular, this Best Practice for Role-based Access Control adopted the philosophy of using Authentication methods defined by IT industry-wide efforts and focused on defining reusable SDI Access Control Rules for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying service components by allowing organizations to optimize data services and reduce costs.

- Jeff