#codingexercise
Double GetAlternateEvenNumberRangecubeRtProductSquares()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateEvenNumberRangecubeRtProductSquares();
}
Today we continue the discussion on Access Control.  We alluded to how RBAC does not adequately address a grid computing environment.  We now look at a few specific models of RBAC.
IRBAC2000 was proposed by Kapadia. Its called a role-based multi domain mutual operation model. By the dynamic mapping of roles among domains, it can solve the mutual operation between two reciprocal domains to  some extent. Roles are mapped to the corresponding local system definitions.  The mapping is dynamic and this provides flexibility.  The shortcoming is that once the mapping is done, access cannot be restricted further because it could violate the mutually exclusive roles. Say if it got mapped to one role and then we added another mutually exclusive role to the same external access, then our system would be confused.
The MDRBAC was introduced to solve this specific problem. It introduces notions such as domain agency, role mapping with time attribute, and minimized role mapping  restriction and it is applied in the access control among reciprocal domains.
The time attribute is helpful to restrict the duration for the mapping is made so that the mappings can be renewed with another or refreshed.
#codingexercise
Double GetAlternateEvenNumberRangecubeRtProduct()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateEvenNumberRangecubeRtProduct();
}

Today we continue discussing RBAC model. We discussed that it could implement both DAC and MAC. It is based on the premise of roles. User migrations are therefore easier to handle. Further, a user has to be assigned a role, the role has to be active and authorized. Permission for the object must also be authorized.
RBAC supports three security principles i.e the minimum authority principle, the responsibility separation principle, and the data abstraction principle. The minimum authority principle means that the system only assigns minimum running authority to the role, and the responsibility separation principle means that mutually exclusive roles can be activated simultaneously to complete one task. The data abstraction principle means that authority is abstracted so that it does not specify explicit operations such as read, write, create, delete etc.
RBAC became popular in the enterprise world for its ease of deployment and the controls it gave. For example, the user, role, access authority, role class, mutual exclusion, and restriction of roles simplified deployment and management. RBAC provides flexibility, convenience and security.
Access Control in the grid computing environment differs from the enterprise access control in that the there is no more a centralized entity that can support a unified and central access control mechanism. Grid computing might involve peer to peer networks or other distributed technologies where decentralized multi domain management mode may be better suited. Therefore the access control strategy should be studied based on the traditional access control model.
#codingexercise
Double GetAlternateEvenNumberRangeSqRtProductSquares()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateEvenNumberRangeSqRtProductSquares();
}

We continue our reading on the Study of Access Control Model in Information Security by Qing-Hai,Ying et al. Today we review the mention for Role Based Access Control (RBAC). DAC and MAC was not flexible to handle business changes such as adding, canceling, and merging departments, employee promotions, duty changes, etc. Instead role based access control was favored. In RBAC, authorization is mapped to roles. A user can take different roles. This effectively handles changes in the organization. Since users are not assigned rights directly but only acquire it with roles, management of individual user rights becomes a matter of assigning appropriate roles to user's accounts. The roles are classified based on the set of stabilized duties and responsibilities in the management. There are three primary rules for RBAC.
Role assigment - A subject can exercise a permission only if the subject has been selected or assigned a role.
Role authorization - A subject's active role must be authorized for the subject. i.e User cannot take any or all roles.
Permission authorization - A subject can exercise a permission only if the permission is authorized for the subject's active role. i.e the user can exercise only those permissions assigned to the role.
Roles can be hierarchical in which a higher level role assumes all that comes with the lower level role.
With a hierarchical role and constraints, an RBAC can be controlled to simulate a Lattice Based Access Control. Thus RBAC can also be used to implement DAC and MAC.
A constraint places a restrictive rule on the potential inheritance of permissions from opposing roles.
RBAC is not the same as ACLs.  RBAC differs from access control lists in that RBAC assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. An ACL may control how whether a file can be read or written but it cannot say how the file can be changed. RBAC lends more meaning to the operations in the organization. It can be used to achieve a Separation of Duties which ensures that two or more people must be involved in authorizing critical operations SoD is used where no individual should be able to effect a breach of security through dual privilege.

After reviewing the DAC data structures, today we read the Mandatory Access Control. Because DAC could not effectively control the information flow direction of the system, a Lattice model was proposed which was extended to form the MAC strategy.  It can be considered stricter than DAC. Each user and resource is attributed with a security class. User could not change his or her security class and only the admin can. Access is granted based on the security class of the user and the security class of the resource. The users security level must be greater than or equal to that of the object. The security class are top secret (TS), secret (S), confidential(C), restricted(U) and is progressively less stricter in that order. When two objects are to be accessed by the user, the objects are combined to form a third object and its security level is set as the meet of the levels of the two individual objects, hence the use of a lattice. A lattice is a partially ordered set in which every two elements have a unique and least upper bound as well as a unique and greatest lower bound. An example is say natural numbers ordered by divisibility where the lowest join is the least common multiple and the greatest meet is the greatest common divisor. Every non-empty finite subset of a lattice has a join or a meet. Using the commutative, associative, absorption and idempotent laws, a lattice can be used to combine two elements.  A bounded lattice is one where the join is 0 and the meet is 1. By governing the information flow to be acyclic and single-direction, the model attempts to prevent security holes arising from conflicting and permissive policy. But the lattice model is a coarse security control scheme. It lacks flexibility and is not convenient in practice. The deployment and documentation of the security class can be confusing. It is generally applied in scenarios where the security rules are definite and the flow is relatively fixed.
For example, in the military, the Bell-LaPadula model is often used. It is based on several properties. The star property also called the containment level, which states that an untrustworthy user can only write to objects whose security level is greater than or equal to their own. This means that information leakage is prevented where someone with a high clearance shares it with others. It includes what is known as a simple property where a user can read data only if the data's security level is as sensitive or less than the clearance level. It also includes a tranquility property which states that the security level of an object cannot be changed while it is in use by the computer system.
#codingexercise
Double GetAlternateEvenNumberRangeProductCubes()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateEvenNumberRangeProductCubes();
}

Today  we discuss the paper on the Study of the Access Control Model in information security by Qing hai, Ying et al.  This paper compares and contrasts different access control mechanism, models and instruments specifically access control lists, access control capabilities list, mandatory access control policy, role-based control model and access control in Grid environment. They discuss this in the context of network security. Access control here is about the principals involved, their access and the permissions associated with a resource. The paper talks about three different modes, the discretionary access control (DAC), the mandatory access control (MAC) and the role based access control model (RBAC). DAC permits legal users to access the regulated objects by the identity of the user or user group. In addition users may delegate their authority to other users in a discretionary manner.  This used to exist on all flavors of UNIX, NT/Server etc. The system used to identify the user and then limit access to resources that the user can have access to.The resources that the user can access can be change by any member of a privileged user group.  It is implemented using an access control matrix, an access control list, and an access control capabilities list. The access control matrix is a two-dimensional matrix representing principals such as users, programs and user-agents versus the resources such as documents and services.The cells are filled with authorization permission. This matrix is very flexible to implement DAC. At the same time it suffers from the downsides that it cannot be transmitted and it may affect performance if its size is too big. Space and speed may degrade as the matrix grows. An Access Control List is a linked list of permissions for each principal against a resource.  This is probably the most prevalent mechanism and it is simple, convenient and practical.  An Access Control Capabilities list is also a linked list that subjoins the users list with the objects list so that for a given user, its ACCL describes the objects it has permissions to. Note that ACL was about an object and the users that have access to it. An ACCL determines the capabilities of a  user. Capability can be transferred. The capabilities list is generally considered insecure because by transferring capabilities the resource is not consulted and may lead to unauthorized access of a resource. Both lists suffer from the problem that they can grow to be arbitrarily large depending on the number of users and resources.

We were discussing the Hearst paper on Text Data Mining. In the section on LINDI project, we talked about a facility for users to build and reuse sequences of query operations. In the gene example, this lets the user to specify a sequence of operations to one co-expressed gene and then iterate this sequence over  list of other co-expressed genes, The interface allows the following operations : iteration, transformation ,ranking, selection and reduction. The ability to record and modify sequences of actions is important because there is no predetermined exploration strategy because this is a new area.When strategies are found to be successful, then they can be considered for automation. Before that, if there are enough strategies then they can be used in an advisory or an assistant mode. The emphasis of this system is to help automate the tedious part of the text manipulation process and to integrate underlying computationally driven text analysis with human guided decision making.
To summarize, large online text collections can be used to discover new facts and trends.
#codingexercise
Double GetAlternateEvenNumberRangeProductSqRtCubes()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateEvenNumberRangeProductSqRtCubes();
}
Tomorrow we discuss Two-layered Access control for Storage Area Network.

#codingexercise
Double GetAlternateOddNumberRangeProductSqRtCubes()(Double [] A)
{
if (A == null) return 0;
Return A.AlternateOddNumberRangeProductSqRtCubes();
}
Today we continue our discussion on Hearst's paper on text data mining. We were discussing the LINDI project. The objectives of the LINDI project are to investigate how researchers can use large text collections in the discovery of new important information, and to build software systems to support this process. The main tools for discovering new information are of two types: 1) support for issuing sequences of queries and related operations across text collections. and 2) tightly coupled statistical and visualization tools for examination of association among concepts that co-occur within retrieved documents. Both set of tools make use of attributes associated with text collections and their metadata. That is why integration is recommended between the tools.
User and system interact iteratively. System proposes new hypotheses and strategies for investigating these hypotheses, and the user either uses or ignores these suggestions and decides on the next move.
In this project, newly sequenced genes are discovered by automation. Human genome researchers perform experiments in which they analyze co-expression of many new and known genes simultaneously. Given this, the goal is to determine which of the new ones are interesting. The strategy is to explore biomedical literature and come up with hypotheses about which genes are of interest.
In tasks like this, the user has to execute and keep track of tactical moves and repeat them often distracting from reasonings. This project provides a facility for users to build and so reuse sequences of query operations via a drag and drop interface. They allow the users to repeat the same sequence of actions for different queries.
The operations include :
Iteration of an operation over the items in a  set.
applying an operation and returning a transformed item.
applying an operation and returning an ordered set of items.
applying an operation and returning a selected set of items
applying an operation and returning a singleton result.