Role-based Access Control - Best Practices for Geospatial Service Oriented Architecture

In the area of Geospatial SOA this project developed Best Practices for role-based access control. Development was coordinated with other 2008 Category 2 recipients and satisfies multi-agency requirements through the modeling and deployment of business processes and related geospatial service components. These Best Practices will help the NSDI to shed rigid and inward-looking approaches and transform into a more agile, responsive and customer-centric framework driven by collaborative partnerships. Of particular interest was the advancement of technology to support regulatory interoperability between organizations like USACE, EPA and others.

This effort is important because Geospatial SOA based on OGC® and other standards are strongly influencing development of the Federal Enterprise Architecture (FEA) Geospatial Profile, especially data access and update. These efforts have matured to a point where broad acceptance is now dependent on the capacity to secure data resources. In fact, organizations like USACE that are considering participation in the NSDI must also consider how they can establish distributed security frameworks for role-based access control to SOA resources. These requirements will continue to increase as data access transitions into data management with services like GeoSynchronization and Web Feature Server- Transactional (WFS-T) where loosely affiliated parties collaborate on maintenance of shared geospatial data resources.

Specifically, the lack of adequate Access Control solutions have contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based Spatial Data Infrastructure (SDI) services on standalone servers or cloud computing platforms.

To meet this challenge, this project defined and documented Best Practices in Geospatial SOA for Role-based Access Control. This project leveraged CubeWerx and OGC investments in developing solutions to solve this important security challenge. The capability was deployed as part of a distributed SOA laboratory for Services Development, Test, and Evaluation (DT&E) designed to drive out Best Practices. Rather than dictating policies, the goal was to support policies already available in most organizations and provide secure, flexible, extensible components for supporting SDI Access Control Rules (SACR). These components were invoked in open geospatial web services, allowing the simulation of trusted organizations in a federation, reuse of existing authentication methods and definition of new access control rules. Scenarios ranging from a hurricane response along the Gulf coast, cross-border information sharing, and regulatory permitting were executed and common Use Cases derived.

The resulting Access Control Rules were defined in an XML Schema using an XML file that can be dynamically parsed by OGC-compliant Web services. With this approach Authentication services can provide access control on a user-by-user basis. For example, several rules can be specified in an <AccessControlRules> document (see the final report), where each rule can apply to a different set of usernames, groups and/or roles.

The approach modeled in this project is compatible with IT industry-wide efforts working on "Identity Metasystems", OASIS security standards for Information Cards, and the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In particular, this Best Practice for Role-based Access Control adopted the philosophy of using Authentication methods defined by IT industry-wide efforts and focused on defining reusable SDI Access Control Rules for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying service components by allowing organizations to optimize data services and reduce costs.

Final Report

Interim Report  

GISciences 2008 SOA Workshop, Park City, Utah PowerPoint Presentation (MS Powerpoint)

Project Introduction Presentation

CubeWerx USA


Mr. Jeff Harrison, Acting Director, CubeWerx USA

Other contacts:

Joel.D.Schlagel, Institute for Water Resources, U.S. Army Corps of Engineers

Edric Keighan, President & CEO, CubeWerx, Inc.