OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 25 assign ri i ege Subject Ro e assign N M N M Session 1 N estab is acti ate N M assign N M Figure 7: Conceptual design of the RBAC 1 model [13]

6.2 Required types of authorizations

The protection of WFS instances and their underlying data bases requires the enforcement of rights with different characteristics. The following subsections introduce various types of authorization semantics that frequently need to be enforced when securing WFS instances. The presented right specific requirements were indentified in various expert interviews, working group sessions, consulting projects and in the course of an in-depth secondary literature research.

6.2.1 Rights referring to individual resources

There is the need to define access rights that control the possible interactions with the individual resources of spatial data infrastructures. These resources belong to different resource classes that are shown in Figure 8. Computer 1 - art-of 0 . . 1 - art-of 0 . . -used-by 1 -runs-on Service WPS WMS WFS Resource DataContainer File Table Feature Building Street FeatureAttribute Owner Location 1 - art-of Figure 8: Classification of resources in spatial data infrastructures The support of rights that refer to resources of different classes is very important as it simplifies the administration of rights and at the same time supports an easy implementation of the least privilege principle. Only supporting rights that can refer to coarse-grained resources like computers or services would imply the risk that access to more fine-grained resources e.g. certain building features is unnecessarily restrictive or too permissive. 26 Copyright © 2012 Open Geospatial Consortium On the other side the binding of rights to naturally existing, coarse-grained abstractions of information entities is very helpful, as it allows expressing a huge set of rights in one single right. A right that e.g. declares that a user is allowed to have read access on building “xyz”, stands for a set of rights that permit the user to read all attributes that are associated with that building.

6.2.2 Rights referring to service, feature and attribute classes

Next to the definition of rights that refer to resource instances of certain classes, it is required to support the definition of rights that refer to individual resource classes. A class-based right represents an authorization that refers to all existing and future instances of this class. Rights that refer to resource classes are e.g. “Alice is denied to use services of type WFS” and “Bob is permitted to have read access on features of class Street”. Class-based rights simplify the administration of the access control policy and allow to directly express frequently intended authorization semantics.

6.2.3 Rights referring to resources with certain properties