Knowing your Role when defining Best Practices for SDI Access Control
Requirements for Access Control and Authentication solutions on the Web have been growing during the last few years - but many security concerns for deploying geospatial data services like OGC Web Feature Services (WFS) Transactional still need to be addressed. Specifically, the lack of adequate Web-based Access Control solutions has contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt, for example, data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based SDI data services.
To address this challenge a collaborative group including CubeWerx, The Carbon Project and others have been working on Best Practices for Role-based Access Control to help organizations deploying OGC Spatial Data Infrastructure (SDI) services. The approach is based on a set of simple Access Control Rules that can be used to make sure the right geospatial information goes to the right people. But behind the scenes there are IT industry-wide efforts working on “Identity Metasystems” to provide an interoperable architecture for digital identity, OASIS security standards for Information Cards, Authentication discussions on "Identity Provider" and "Relying Party" – all built on top of the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In other words, an incredible amount of effort IT industry-wide on Authentication.
So in the Best Practices for Role-based Access Control we adopted the philosophy that says, “Use Authentication methods defined by IT industry-wide efforts ” - we'll focus on defining simple, reusable SDI Access Control Rules (SACR) for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying SDI by allowing organizations to optimize data services and reduce costs. Over the next weeks we'll be talking more about these Best Practices, examples, and the associated 2008 NSDI Cooperative Agreements Program (CAP) project.