JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
@inproceedings{sukhanov:icalepcs2023-th2ao05, author = {A. Sukhanov and J. Morris}, title = {{Secure Role-Based Access Control for RHIC Complex}}, % booktitle = {Proc. ICALEPCS'23}, booktitle = {Proc. 19th Int. Conf. Accel. Large Exp. Phys. Control Syst. (ICALEPCS'23)}, eventdate = {2023-10-09/2023-10-13}, pages = {1150--1154}, paper = {TH2AO05}, language = {english}, keywords = {controls, operation, software, network, EPICS}, venue = {Cape Town, South Africa}, series = {International Conference on Accelerator and Large Experimental Physics Control Systems}, number = {19}, publisher = {JACoW Publishing, Geneva, Switzerland}, month = {02}, year = {2024}, issn = {2226-0358}, isbn = {978-3-95450-238-7}, doi = {10.18429/JACoW-ICALEPCS2023-TH2AO05}, url = {https://jacow.org/icalepcs2023/papers/th2ao05.pdf}, abstract = {{This paper describes the requirements, design, and implementation of Role-Based Access Control (RBAC) for RHIC Complex. The system is being designed to protect from accidental, unauthorized access to equipment of the RHIC Complex, but it also can provide significant protection against malicious attacks. The role assignment is dynamic. Roles are primarily based on user id but elevated roles may be assigned for limited periods of time. Protection at the device manager level may be provided for an entire server or for individual device parameters. A prototype version of the system has been deployed at RHIC complex since 2022. The authentication is performed on a dedicated device manager, which generates an encrypted token, based on user ID, expiration time, and role level. Device managers are equipped with an authorization mechanism, which supports three methods of authorization: Static, Local and Centralized. Transactions with token manager take place ’atomically’, during secured set() or get() requests. The system has small overhead: ~0.5 ms for token processing and ~1.5 ms for network round trip. Only python based device managers are participating in the prototype system. Testing has begun with C++ device managers, including those that run on VxWorks platforms. For easy transition, dedicated intermediate shield managers can be deployed to protect access to device managers which do not directly support authorization. }}, }