JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
TY - CONF AU - Sukhanov, A. AU - Morris, J. ED - Schaa, Volker RW ED - Götz, Andy ED - Venter, Johan ED - White, Karen ED - Robichon, Marie ED - Rowland, Vivienne TI - Secure Role-Based Access Control for RHIC Complex J2 - Proc. of ICALEPCS2023, Cape Town, South Africa, 09-13 October 2023 CY - Cape Town, South Africa T2 - International Conference on Accelerator and Large Experimental Physics Control Systems T3 - 19 LA - english AB - This paper describes the requirements, design, and implementation of Role-Based Access Control (RBAC) for RHIC Complex. The system is being designed to protect from accidental, unauthorized access to equipment of the RHIC Complex, but it also can provide significant protection against malicious attacks. The role assignment is dynamic. Roles are primarily based on user id but elevated roles may be assigned for limited periods of time. Protection at the device manager level may be provided for an entire server or for individual device parameters. A prototype version of the system has been deployed at RHIC complex since 2022. The authentication is performed on a dedicated device manager, which generates an encrypted token, based on user ID, expiration time, and role level. Device managers are equipped with an authorization mechanism, which supports three methods of authorization: Static, Local and Centralized. Transactions with token manager take place ’atomically’, during secured set() or get() requests. The system has small overhead: ~0.5 ms for token processing and ~1.5 ms for network round trip. Only python based device managers are participating in the prototype system. Testing has begun with C++ device managers, including those that run on VxWorks platforms. For easy transition, dedicated intermediate shield managers can be deployed to protect access to device managers which do not directly support authorization. PB - JACoW Publishing CP - Geneva, Switzerland SP - 1150 EP - 1154 KW - controls KW - operation KW - software KW - network KW - EPICS DA - 2024/02 PY - 2024 SN - 2226-0358 SN - 978-3-95450-238-7 DO - doi:10.18429/JACoW-ICALEPCS2023-TH2AO05 UR - https://jacow.org/icalepcs2023/papers/th2ao05.pdf ER -