Access Road v0.5.0 user manual

© Copyright 2000-2001 TPA Conseil
The Access Road documentation is free. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation ; with the Invariant Section being "ARPresentation", with the Front-Cover Text being "The Access Road project", and with no Back-Cover Texts. This license is applicable for 20 years since the publication of the documentation. The applicable laws are the French ones, and the relevant court is at Nanterre (92), FRANCE, EC.
A copy of the license is included in the section entitled "GNU Free Documentation License".

Terminology

Requirements for Access Road version 0.5.0
Installation
Remove the installation
Create and close an access control system (ACS)
Remove an access control system
Handle the windows
Understand the ACS trees
Create a new view
Understand the view
Open an access control system or a view
Exit the program
Performances
Save and restore a working space
Known bugs

Requirements for Access Road version 0.5.0

Pentium 200 Mhz or equivalent
64 MB of memory (96 MB is better)
20 MB on disk
Java 2 installed (JRE 1.3 or JDK 1.3). You must have a free-of-charges Java runtime environment that you may downloaded from SUN, IBM or any other provider.

The program has been tested under Windows NT4, SUN JDK, and SuSE Linux 7.1 with KDE, IBM JDK.

Access Road Installation

To install the executable:

download accessroad050.jar in the dedicated Access Road directory of your choice
update your path:
- '.' in PATH, on Linux/Unix systems for the current directory
- '.' in Path in Windows NT Diagnostics/Environment, on Windows NT systems
- 'Access Road directory'\classes directory, in your path
- \bin directory of the Java 1.3 runtime environment, in your path
open the command window:
- run a shell on Linux/Unix systems
- run cmd.exe through Run/Execute, on Windows NT systems
- run Command.com through Run/Execute, on Windows 9x
go to the Access Road dedicated directory
enter this command: jar xvf accessroad050.jar
the Access Road directories and files are created under the current directory, with the intermediate directory 'classes'
enter this command: java -classpath 'your Access Road directory'/classes ARoad0.Gui1.Desktop (on Windows, replace '/' by '\')
Access Road is started up and its graphical interface must appear
click on Help/Help Documentation to see the user manual

If you don't have the development documentation, you may also print the user manual on the web site.

You may use a script in place of the last command, to run more easily Access Road:

text file as shell script, on Linux/Unix systems
text file as .bat script, on Windows 9x/NT systems

You may remove the jar file from the Access Road directory.

To install the source code with all the relevant html, image files and test classes:

download accessroad050src.zip and extract it in the directory of your choice

To install the development documentation:

download accessroad050docs.zip and extract it in the directory of your choice ; open documentation.html

Remove the installation

For remove the program, delete:

accessroad050.jar
\classes directory
all *.acr files in the Access Road directory

Update your class path if necessary.

To remove the documentation or the source code, delete the relevant directory.

Create and close an access control system (ACS)

An access control system is any hardware or software that is responsible for delivering access rights in an information system. Typically, an operating system, an http server, a router or an user application are examples of ACS. An ACS is always contained in an Information System (IS). Access Road handles two types of access rights:

access control list: an access user has a right upon an access target. This type is matched to every simple ACS like a router. For instance, an IP address may be viewed as an access user, and another IP address may be an access target. The same principle applies to a http server like Apache, with http pages or scripts as access targets.
Linux access rights. This type is provided only for operating systems. It handles entities as userID and groupID. It may be completed by access control lists in an operating system like Solaris.

Any action or representation on an element in the GUI forces to open first the ACS that owns the element. The elements owned by a ACS are no more displayed in the GUI after the closing of this ACS, even through another ACS frame.

You may create a new access control system (ACS), set its name, and open it.

Click on File/New/New Access Control System, or enter Alt F then N:

This window appears. A default name is set for the IS; you may change it. You can't use '::' in the name.
To go to the next field, use Tab or click on the next field.
Set the name of the new ACS you want to create. You can't use '::' in the name.
Choose to create an empty ACS or a standard predefined ACS. If you choose 'empty', the ACS is displayed but you can't update it in this program version. The choice for non-empty ACS is:
'with default Trees, no acls': click on the button, or enter Alt + i

You create so a Linux-like ACS. See details on created objects

'with default acls, little tree': click on the button, or enter Alt + a

You create so a general-purpose ACS. See details on created objects

'with default trees and acls': click on the button, or enter Alt + w

You create so a Solaris-like ACS. See details on created objects

then, the program saves the access control system in a dedicated file (ACS name ended by .acr) and open it in the GUI:
the program displays in an ACS tree all the ACS elements, with a specific first-level node for each element type. See Handle the windows
the program opens or updates the explorer which display all the current open access control systems

You may close an open ACS in clicking on the ACS tree frame to close it, or in clicking in File/Close when the ACS tree frame is selected (no action through File/Close if the ACS name is selected in the explorer). A window is displayed to choose to close the ACS or not, and if yes, to save the ACS or not.

the program always closes the ACS tree frame if you have click on it
the program closes the ACS and updates the explorer if you request it, and updates all the open ACS trees if there are access control lists which link them to the closing ACS
the program saves the ACS if you request it

Remove an access control system

A created ACS remains registered by the program until it is removed. To remove it, select the ACS tree frame and click on File/Remove. The selection of the ACS name in the explorer doesn't remove the ACS. After a removing action, the file associated to the view is not deleted under the Access Road directory, but there is no restoring function for the moment, so this file is not useful for the actual version of Access Road.

Caution: deleted the file l_acs_v0.acr under the Access Road working directory is equivalent to remove all the registered ACS.

Handle the windows

Access Road runs under any platform supporting Java. The main window of the program is displayed with the platform look-and-feel. The internal windows use a Metal look-and-feel which is specific to Java.

Most of the entities (explorer, ACS, view, text...) are displayed in dedicated internal frames in the main Access Road window. You may handle the windows:

set the size and the position of any internal frame in the main window with the mouse
iconify an internal frame by clicking on the right icon at the top of the window (an arrow to the bottom left), except for the explorer frame which can't be iconifed
close an internal frame by clicking on the cross at the top of the window, except for the explorer frame which can't be closed
tile all the open internal frames in the main window: click on Window/Tile frames (or Alt + w then Enter)
close and/or save the ACS associated to an ACS tree closing frame

Understand the ACS trees

The ACS tree frames and the explorer display the open ACS in specific trees. They shown all the objects belonging to the ACS or connected to it through external-oriented AclEntries.

This window shows the explorer when it displays the objects in the ACS vava. The same display appears in the ACS tree frame. Note the icon used in this look and feel to show the expanded nodes in the tree.

The explorer tree always shows the current open entities. The first type is open access control systems, which is associated to an expanded node here. There are two first ACS gred and dvbd for which the nodes are not expanded, and a third expanded ACS vava with the following nodes:
Eligible Parties: the three first nodes in the vava tree (Actors, UserIDs and GroupIDs) are some kinds of eligible parties. An eligible party is an entity for which an access control system delivers access rights or denies accesses to resources. It is then an access right user.
Actors (rights user & access target): programs are typical actors in an information system. An actor is an acting resource which, as a kind of eligible party, may access to resources controlled by the access control system, and which may play some special roles, as a bridge or a gate, between an another actor and some resources. They are both access targets, as any ressource, and rights users.
UserIDs (rights user): accounts in an operating-system-like access control system, as a kind of eligible parties. Typically, each human user has a personal userID for logging to the operating system. They have access rights upon the ressources.
GroupIDs tree (rights user): a kind of eligible party that owns a set of eligible parties. Typically, a Linux access control group is a groupID. As a groupID may contain another groupID, they are displayed in a tree.
Ressources tree (access target): hierarchical tree of entities which are access targets in an access control system. Typically, the files in an operating system are ressources, but actors are also resources.

These first nodes in the ACS tree are devoted to model the entities in an operating system. The next node is used to display the access control lists, which define in an ACS more general access rights links between an eligible party and a ressource. Access control lists may be applied to any kind of simple ACS:

This window shows the explorer when it displays the objects in the ACS vava. The same display appears in the ACS tree frame. The explorer shows the AclEntries. Each AclEntry is defined:

FROM one Eligible Party (right user): the three first nodes in the tree (Actors, UserIDs and GroupIDs) are some kinds of eligible parties. An eligible party is an entity for which an access control system delivers access rights or denies accesses to resources. It is then a right user.
TO one Ressource (access target): entity which is an access target in an access control system. Typically, the files in an operating system are ressources.
with specific right(s): for instance 'execute' here, for the first three AclEntries.
with a positive (the right is authorized by the ACS) or a negative right (the right is forbidden by the ACS).

In this ACS tree, the Eligible Parties and the Resources are named with their ACS name and their last component name. The complet name of a resource may be much longer when it is a file fo instance, since the name contains all the hierarchical path of the ressource in the ressources tree.
The 9 AclEntries do belong to the ACS « vava », since they are listed under the « vava » node. But you note that the 2 last ones imply objects which are owned by the ACS gred (that appears also as an open ACS in the explorer). This means that the ACS vava controls some accesses about these gred objects, which are named External objects from the vava point of view.

The last nodes in the ACS tree are used to display the External objects already shown in the AclEntries list:

This window shows the explorer when it displays the objects in the ACS « vava ». The same display appears in the ACS tree frame. The explorer shows in the expanded nodes:

the External Eligible Parties (right user): they belong to other ACS and they have access rights provided by the ACS vava. They are displayed in three nodes: external eligible actors, external eligible userIDs and external eligible groupIDs (see terminology). Their full names (see terminology) are used.
The External Controlled Ressources (access target): they belong to other ACS and they are access targets specified by the ACS vava. They are displayed in two nodes: external controlled actors and other external controlled resources (see terminology). Their full names are used.

Create a new view

Access Road allows to define a limited set of ACS elements to put in a view, and it displays in a diagram all the existing access rights between those elements.

You may create a new view, and set its name:

Click on File/New/New View, or enter Alt F then N:

This window appears. A default name is set for the group view; you may change it. You can't use '::' in the name.
To go to the next field, use Tab or click on the next field.
Set the name of the new view you want to create. You can't use '::' in the name.
Don't fill the third field. It is for future versions.
Click on 'OK'.
If there is no open ACS tree frame in the GUI, the operation is stopped. An error message is displayed. Then, you should open a closed ACS, or create a new ACS, or exit the program and run it once again.

The program displays the following window to allow to select the ACS objects you want to put in the new view:

This window appears, but it is empty at the start. You should work on the explorer, so display its tree nodes so you can view the ACS objects which you want to select. You can move this object selection window to see the explorer.
To add an object, click on it in the explorer. It doesn't work if you click on an access control list, or on an object in the External Objects nodes. To add an external object, click on it under its ACS node in the explorer. An access control list is directly displayed in the view if you select the two implied objects.
When you add an object, it is added to one of the two lists that display the selected objects. Resources are put in the ImmutableResources list, and Eligible parties are put in the ImmutableEligibleParty list. If the selected object is a kind of actor (case of 'EXE2' here), it is put in the two lists since it is both a resource and an eligible party.
To remove a selected object in a list, select it on the list and click on the button 'Remove in lists'. If it is an actor and if you have removed it in only the first of the two lists where it is displayed, the actor remains in the second list and it will be processed exactly as if it was still in the first list.
You can't select an object O in the explorer if your last operation has been to remove it from the selection list. If the removing action is an error, you should select an other object B in the explorer, then select O and remove B from the selection.

Then the program displays the view elements in a diagram with all the relevant access rights:

the program saves the view in a dedicated file (its name is: VIEW0_ then 'complet view name', ended by .acr)
the program analyzes the open ACS to search all the direct access rights between view elements, for instance through an access control list
the program analyzes the open ACS to search all the indirect access rights through intermediate nodes which are not contained in the view. For instance, if an executable and a file in a Linux system are owned by the same userID, the executable has the owner rights upon the file, even if this userID is not in the view
the program displays all the found access rights as arrows in the graphical representation of the view: See the next section.

Understand the view

A view is a diagram that displays a specific information about selected base objects in open access control systems.

This window appears. You can't move the icons in the diagram, nor interact directly with the diagram.
The eligible parties and the resources are drawn in different icons. There, EXE3, EXE4, GROUP_ONE and USER_ONE are eligible parties. LEAF3 is the only resource. In fact, this is false since EXE3 and EXE4 are actors and then resources, but actors are always drawn as eligible parties.
The arrow from EXE3 to EXE4 shows a right 'execute'. It means: EXE3 may execute EXE4, from the point of view of all the OPEN access control systems. Since the right is displayed without any comment, it means that it comes from an access control list.
Since 'execute' is the only displayed right, it means that EXE3 has no other access right upon EXE4. In the same way, GROUP_ONE for instance has no direct access right on LEAF3, since there is no arrow between them. But the view shows that GROUP_ONE may read on LEAF3 through EXE3 and EXE4.
A limit of such a diagram is that the ACS can't say if the EXE3 and EXE4 executables allow a read access to LEAF3 for any user of these programs. There should be two ways: accept to not know, or model EXE3 and EXE4 as new access control systems which would interact on the global access rights analysis.
The view shows that GROUP_ONE has an 'execute' right on EXE3. There is a comment '(hid_acl)' that may be read as 'hidden acl'. It means that there are hidden access control lists which define a path from GROUP_ONE to EXE3. These hidden acl connects objects that are not in the view.
To know more about these hidden access control list, let's click on the 'See why' button.

In clicking on the 'See why' button, it is possible to get a text that provides a form of justification for the access rights. This text describes all links in the view:

This window appears. You can't modify the text.
The view shows that GROUP_ONE has an 'execute' right on EXE3. There is a comment '(hid_acl)' that may be read as 'hidden acl'. It means that there are hidden access control lists which define a path from GROUP_ONE to EXE3. These hidden acl connects objects that are not in the view. This justification says that there is one intermediate node: DefaultIS:: vava::/::EXE2 connected through aclEntries.
To understand the terminology, see DisplayableLink and AccessControlLink.

For the moment, a view can't be closed in the program and in the explorer. But a view frame may be closed as any frame. There is no 'remove' function for views. Deleted the file l_views_v0.acr under the Access Road working directory is equivalent to a removing action of all registered views.

Open a closed access control system or a closed view

All the registered ACS and views are closed at the start of the program. You open one of them:

click on File/Open/Open ACS or /Open view ; a window displays the closed ACS or the closed views known by the program
select the ACS or the view to open
the program stops the opening of the view if it contains elements from a closed ACS
the program doesn't display an external object of the opening ACS if this object belongs to another closed ACS
the program updates the open entities in the explorer
the program displays the ACS tree or the view
the program updates the other open ACS trees if there are access control lists which link them to the new open ACS

Exit the program

for exit Access Road, close the main window (click on the cross) or click on File/Exit
the program asks for a saving operation. Any answer is possible, but a request for a saving is not useful since the access control systems and the views are already saved in .acr files.

Performances

The program may open up to 20 internal frames in the main window.

A view may contain up to 15 selected objects.

The search of hidden links in a view is done through up to at least 10 hidden objects.

Save and restore a working space

All the ACS and the views known by the program define one working space. To save or restore it, move the following files:

l_acs_v0.acr
l_views_v0.acr
all the ACS0_...acr files
all the VIEW0_...acr files

The links are: each ACS0_...acr file is referenced in the file l_acs_v0.acr ; each VIEW0_...acr file is referenced in the file l_views_v0.acr ; each VIEW0_...acr references one or several ACS in the file l_acs_v0.acr

Known bugs

it is impossible to create a new view if all the ACS-specific tree frames are closed, even if there is an open ACS in the explorer.
when the Access Road main window is small, the internal windows for new ACS trees are not correctly displayed in the limits of the main window panel.
the rights in views about group and owner relationships are false sometimes.