MotOrBAC
An OrBAC security policy editor
Abstract policy creation
When creating a new OrBAC policy, the user can choose from available implementations. The API version bundled with MotOrBAC contains two implementations
Abstract policy editing
Specifying an OrBAC policy consists in defining an organization hierarchy as well as roles, activities and views hierarchies. Then contexts can be added and used in security rules specification. You can see the organization and role hierarchies on the image
Contexts specification
Several languages are available to express contextual conditions. On this screenshot you can see in the dialog box a Prova context, expressed using an implementation of Prolog. In the main MotOrBAC GUI you can see a BeanShell context
Abstract rules specification
Abstract rules specification. Seven permissions are displayed, you can notice that the violation context column being irrelevant for permissions, no context is displayed in it. You can also see the prohibition and obligtation tabs
Conflicts management
MotOrBAC can display abstract and concrete conflicts. You can see on the image above the abstract conflicts detected in an abstract policy. The different colors show couples of conflicting rules. The contextual menu shown contains solutions proposed to the policy designer to solve a conflict
Entity definitions
Entity definitions can be used to define constraints that the policy must satisfy. Several languages can be used to express those definitions. For example on this image a role definition is shown. The constraint states that a subject can only be assigned to the "extern" role in the "rennes_hospital" organization if he/she has an attribute called "internat" which value should be "obtenu"
Concrete policy simulation
In the OrBAC model, a concrete policy which applies to the subjects, actions and objects of a system is derived from an abstract policy specified at the organizationnal level. MotOrBAC can show the concrete policy infered from an abstract policy and for each concrete rule show its activation state
Plug-ins
The OrBAC API can manage plug-ins. This plug-in architecture is used by MotOrBAC to provide a mean to extend MotOrBAC. The above screenshot shows the plug-in selection dialog box