RBAC/ExamplesCGI/appl/cgi. The scripts use a few libraries of Perl subroutines located in
RBAC/cgi/lib. The tool implements the following functions: add/remove users, add/remove roles, assign/de-assign roles to/from users, add/remove inheritance relation between two roles, establish/de-establish SSD and DSD relations between two roles. The execution of each administrative operation is preceded by a test of the RBAC/Web Database consistency and a test of the conditions associated with that operation assuring the preservation of the database consistency. If any of these tests fails, the administrative operation is not performed.
In the definition of HTTP 1.1, the semantics of PUT are pretty much
"implementation defined". The RBAC/Web CGI implements two kinds of
PUT. One where the resource addressed is simply replaced and one where the
resouce addressed becomes the latest "version", i.e., the resouce addressed
is renamed to an earlier version and the current version becomes that which
was PUT. In the distribution as installed, the CGI is configured for the
simple replacement PUT. The RBAC/Web CGI also permits a PUT to be
passed to another CGI. The mlsput CGI in the
RBAC_v1.1/RBAC/ExamplesCGI/appl/cgi directory is an example of
such a PUT CGI.
RBAC_v1.1/RBAC/cgidirectory. This program is how the user establishes an RBAC Session. i.e., creates the active role set (<user>.active_roles) for the user.
It is possible to use this distribution without using the Session Manager assuming one does not use any of the role relationships: inheritance, and dynamic and static separation of duties. In an elementary RBAC system, a user only has assigned roles, those roles are the only ones that can become active, and every assigned role is always active. Thus, the Session Manager is not necessary. The active role sets for each user can be created with an editor and left permanently in place.
RBAC_v1.1/RBAC/DOCsdirectory. Included in that directory are this README.html file, the RBAC/Web Design Document, design.html, documentation for RBAC/Web CGI, CGI_Doc.html, and the user agreement, rbacweb.agreement. Please read the user agreement.
RBAC_v1.1/RBAC/ExamplesCGIdirectory contain many examples of how this distribution of RBAC/Web may be used. The bank and MLS demos are in the
RBAC_v1.1/RBAC/admin/usersfile contains the users defined in the demos. The password for each user is that user's name. The user admin is the user assigned the role role_admin, which is the required role for running the RBAC/Web Admin Tool. The other directories in the
RBAC_v1.1/RBAC/ExamplesCGIdirectory contain tests specifically for the CGI. See the CGI Documentation in
RBAC_vi.1/RBAC/srcprovides the source to compile each of these systems. For the SunOS system, the file
RBAC_v1.1/RBAC/src/Makefilemust have the macro
SYSTEMdefined as PreSolaris. Compilation can be avoided, for these systems, by using the appropriate binary distribution nph-RBACcgi, which is available in
tar xf rbac_v1.1_dist.tar
RBAC_v1.1. In that directory is this README.html file and rbacweb.agreement, the user agreement file for use of this software.
ScriptAlias /RBAC/ <RBAC_root>/cgi/
Alias /RBAC_DOCs/ <RBAC_root>/DOCs
Alias /RBAC-CGI_src/ <RBAC_root>/src
Alias /RBAC_DOCs <RBAC_root>/DOCs
Alias /RBAC-CGI_src <RBAC_root>/src
If a name other than "RBAC_DOCs" is used in the Alias above (e.g.,
"RBAC_DOCs_other"), then in
If a name other than "RBAC-CGI_src" is used in the Alias (e.g.,
"RBAC-CGI_src_other"), then in
<RBAC_root>/ExamplesCGIcontains files, both documents and CGI scripts, whose access is controlled by RBAC/Web. Consequently, the HTTP Server administrator should not provide any Alias or ScriptAlias which permits access to the
<RBAC_root>/ExamplesCGIdirectory or any of its contents by means of the HTTP Server directly. This caveat applies equally to any other files whose access is to be controlled by RBAC/Web.
<RBAC_root>/conf.cgi, changes are required to run the RBAC/Web demos.
To run the bank and the MLS demos change:
Pass /applData/* /export/RBAC_v1.1/RBAC/ExamplesCGI/appl/docs/*to
Pass /applData/* <RBAC_root>/ExamplesCGI/appl/docs/*
To run RBAC/Web CGI demos change:
Pass /Example/* /export/RBAC_v1.1/RBAC/ExamplesCGI/*to
Pass /Example/* <RBAC_root>/ExamplesCGI/*
Exec /ExecTest/* /export/RBAC_v1.1/RBAC/ExamplesCGI/cgi/*
Exec /ExecTest/* <RBAC_root>/ExamplesCGI/cgi/*
#!/usr/local/bin/perlto the location of perl. It may be possible to use softlinks so that these lines need not be changed.
<RBAC_root>/cgi/nph-RBACcgiby either copying the appropriate distribution file from
RBAC_v1.1/binaries/YourSystem/nph-RBACcgior compiling from the provided sources.
To generate nph-RBACcgi from the sources, perform the following:
<RBAC_root>/admin/usersfile and that same name as the password.
To add a new user:
<RBAC_root>/cgi/.htaccessand <username>'s password to
<RBAC_root>/htpasswdaccording to HTTP Server instructions.
<RBAC_root>/ExamplesCGI/appl/docs/tmpdirectory. Make this directory writable by the user ID of the HTTP Server process.
Each user has a directory in the directory
<RBAC_root>/ExamplesCGI/appl/docs/tmp. It contains
temporary files accessible only by <username> in the role whose name is
<username>. This "self" role is automatically generated by the
login process and may also be used for discretionary access control.
The "self" role does not appear in any of the files in
<RBAC_root>/admin except for <username>.active_roles.
Note that in the bank and MLS demos, the <username> item
on the menu should return an error. Discretionary access control has not been
implemented for these demos.
<RBAC_root>/ExamplesCGI/appl/docs/tmp/<username>directory, create a .RBAC_acl file with the single line: