Best Practices address key NSDI topic - "Role-based Access Control"

New Best Practices envisions agencies moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud – leveraging shared Government Service Units

A set of Best Practices for one of the most important, but least understood, areas of Geospatial SOA – Role-based Access Control has just 'hit the street'. Development was coordinated between NSDI 2008 CAP Category 2 recipients and is designed to satisfy multi-agency requirements through modeling of business processes and related geospatial service components. As discussed in the report - these Best Practices will help the NSDI shed rigid, inward-looking approaches and transform into a more agile, responsive and customer-centric framework driven by collaborative partnerships.

This effort is important because Geospatial SOA based on OGC and other standards are strongly influencing development of the Federal Enterprise Architecture (FEA) Geospatial Profile, especially data access and update. These efforts have matured to a point where broad acceptance is now dependent on the capacity to secure data resources. In fact, organizations that are considering participation in the NSDI must also consider how they can establish distributed security frameworks for role-based access control to SOA resources. These requirements will continue to increase as data access transitions into data management with services like GeoSynchronization and Web Feature Server- Transactional (WFS-T) where loosely affiliated parties collaborate on maintenance of shared geospatial data resources.

Specifically, the lack of adequate Access Control solutions have contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based Spatial Data Infrastructure (SDI) services on standalone servers or cloud computing platforms.

To meet this challenge, this project defined and documented Best Practices in Geospatial SOA for Role-based Access Control - leveraging CubeWerx, The Carbon Project and OGC investments in developing solutions to solve this security challenge. The capability was deployed as part of a distributed SOA laboratory for Services Development, Test, and Evaluation (DT&E) designed to drive out Best Practices. Rather than dictating policies, the goal was to support policies already available in most organizations and provide components for supporting SDI Access Control Rules (SACR). These components were invoked in open geospatial web services, allowing simulation of trusted organizations in a federation, reuse of existing authentication methods and definition of new access control rules. Scenarios ranging from a hurricane response along the Gulf coast, cross-border information sharing, and regulatory permitting were executed and common Use Cases derived.

The resulting Access Control Rules were defined in an XML Schema using an XML file that can be dynamically parsed by OGC-compliant Web services. With this approach Authentication services can provide access control on a user-by-user basis. For example, several rules can be specified in an document, where each rule can apply to a different set of usernames, groups and/or roles.

The approach modeled in this project is compatible with IT industry-wide efforts working on “Identity Metasystems”, OASIS security standards for Information Cards, and the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In particular, this Best Practice for Role-based Access Control adopted the philosophy of using Authentication methods defined by IT industry-wide efforts and focused on defining reusable SDI Access Control Rules for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying service components by allowing organizations to optimize data services and reduce costs.

- Jeff

Knowing your Role when defining Best Practices for SDI Access Control

Requirements for Access Control and Authentication solutions on the Web have been growing during the last few years - but many security concerns for deploying geospatial data services like OGC Web Feature Services (WFS) Transactional still need to be addressed. Specifically, the lack of adequate Web-based Access Control solutions has contributed to a situation where many organizations have been avoiding deployment of their OGC services like WFS-T on the Web. The lack of such controls has forced data providers to adopt, for example, data sub-setting techniques to isolate access to geospatial data based on different projects, users, groups of users, etc. But such approaches have been proven to add hardware, software, implementation and maintenance costs for organizations deploying their OGC-based SDI data services.

To address this challenge a collaborative group including CubeWerx, The Carbon Project and others have been working on Best Practices for Role-based Access Control to help organizations deploying OGC Spatial Data Infrastructure (SDI) services. The approach is based on a set of simple Access Control Rules that can be used to make sure the right geospatial information goes to the right people. But behind the scenes there are IT industry-wide efforts working on “Identity Metasystems” to provide an interoperable architecture for digital identity, OASIS security standards for Information Cards, Authentication discussions on "Identity Provider" and "Relying Party" – all built on top of the Web Services Protocol Stack that includes WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. In other words, an incredible amount of effort IT industry-wide on Authentication.

So in the Best Practices for Role-based Access Control we adopted the philosophy that says, “Use Authentication methods defined by IT industry-wide efforts ” - we'll focus on defining simple, reusable SDI Access Control Rules (SACR) for granting access to OGC services by role, geographic extent, feature and SDI operations. This approach adds significant new capability for deploying SDI by allowing organizations to optimize data services and reduce costs. Over the next weeks we'll be talking more about these Best Practices, examples, and the associated 2008 NSDI Cooperative Agreements Program (CAP) project.

- Jeff

Basic roles in a crowd-sourced OGC SDI

Spatial data infrastructures (SDI) are starting to tap the knowledge and energy of collaborating communities - and move data production and update operations to local levels, closest to source. But what are the basic roles people can play in this collaborative environment?

It turns out the basic operations for this kind of "GeoSynchronization" (from OGC) are simple - updates are published by one data source, reviewed by another and followed by others. When you organize geoRSS feeds for the task you get three basic roles in a crowd-sourced SDI -

Publisher - Makes changes to content. Generates feature changes , submits them for review via a Change Feed. Changes include adding, deleting or updating features. When a change is accepted or rejected Publisher is notified via a Resolution Feed.

Reviewer - Approves changes submitted by Publishers, subscribed to a Change Feed. When the Reviewer receives a change, they can then use an application to review and 'accept' or 'reject'. GeoSynchronization Services (GSS) can then apply accepted changes to any registered OGC WFS via WFS Transactions.

Follower - Can use standard RSS reader to get updates on any device. When changes to servers are accepted GSS announces them to Followers via the Replication Feed. A Follower subscribed to these event notifications will receive appropriate updates in the form of RSS or GeoRSS entries.

- Jeff

Spatially-defined Access Control on YouTube

More NOAA weather via WMS and WFS SOA

It's Earth observation week at CarbonCloud - and here's quick look at some NOAA National Weather Service (NWS) WMS and WFS. Rumor has it a lot has happened in NWS with regards to web services - and the radar/warnings and Flood Outlook Product (FOP) WMS and WFS above are just a small glimpse of the progress. Although not a traditional part of an NSDI "Framework", climate and weather data have become essential for both daily forecasts and longer term understanding of potential changes in climate. The data is overlayed on USGS Framework WMS, NASA OnEarth WMS. If anyone would like the Gaia geospatial session file (GSF) for the services above just let us know at info@thecarbonproject.com.

- Jeff

NOAA's WFS - Instant Access to Climate Data

NOAA's National Climatic Data Center (NCDC) is "the world's largest active archive of weather data" - producing numerous climate publications and responding to data requests from all over the world. As part of its access programs the NCDC provides its geospatial data through OGC web services (WMS, WFS, KML/KMZ) and Catalog Service for the Web (CS-W). We tried the WFS recently in Gaia (above) and they work great. The data is overlayed on USGS Framework WMS, NASA OnEarth WMS and OpenStreetMap. Looks like lots of potential for open access to climate data.

- Jeff

Science Fiction or the Future of Aviation? NextGen System Utilizes Open Data Modeling

Image copyright & courtesy Geoworld magazine

The Carbon Project's CTO, Nuke Goldstein, discusses the role of open data modeling in the November issue of Geoworld (pp 19-21). The article begins by describing a pilot on a Flight from Dallas/Forth Worth airport in 2020 - and continues on to describe the role of geospatial data modeling and online services in modernizing our aging national airspace system. Check it out online here and let us know your thoughts.

- Jeff