Presentation on theme: "ROLE BASED ACCESS CONTROL"— Presentation transcript:
1 ROLE BASED ACCESS CONTROL (RBAC)John BarkleyRBAC Project LeaderSoftware Diagnostics and Conformance TestingNational Institute of Standards and Technology(301)
2 ACTIVE PARTICIPANTSSDCT: Rick Kuhn, Bill Majurski,Tony Cincotta, Alan GoldfineCSD: Dave Ferraiolo, Doctor RamaswamyChandramouliGMU: Professor Ravi Sandhu, Jean ParkUM: Doctor Virgil GligorSETA: Ed Coyne, Ravi Sundaram (CRADA)VDG: Serban Gavrila (contractor)
3 ROLE BASED ACCESS CONTROL (RBAC) RBAC is an access control mechanism which:Describes complex access control policies.Reduces errors in administration.Reduces cost of administration.
4 NIST RBAC Activities NIST RBAC Model (Ferraiolo, Cugini, Kuhn) NIST RBAC Model Implementation for the WWW(RBAC/Web)Administrative tools: RBAC/Web Admin Tool & RGP-AdminFormal description of NIST RBAC Model in PVS(software specification in mathematical language)Test assertions and test softwareCost model and role engineering toolsTwo patent applications and a provisional patent application
5 INDUSTRY RECOGNITIONIBM’s patent application for IBM RBAC model cited NISTwork as “closest prior art” (now implemented by Tivoli)Sybase and Secure Computing implemented NIST RBACModelSiemens Nixdorf implemented parts of NIST RBAC Model inTrusted Web and references our work on their Web siteNIST RBAC Model included in Educom IMS SpecificationReceived 1998 Excellence in Technology Transfer Awardfrom Federal Laboratory Consortium
6 “I would like to take this opportunity to underscore Page 15 of ITL Brochure“I would like to take this opportunity to underscorethe importance and relevance of research conductedby your laboratory into Role-Based Access Control(RBAC). In the area of security one of the featuresmost requested by Sybase customers has been RBAC.They view this feature as indispensable for the effectivemanagement of large and dynamic user populations.”Thomas J. ParentyDirector, Data and Communications SecuritySybase, Inc.Emeryville, Ca.
7 RBAC MECHANISMUsers are associated with roles.Roles are associated with permissions.A user has a permission only if the user has anauthorized role which is associated withthat permission.
8 Example: The Three Musketeers (User/Permission Association) AthosAramispalaceuniformPorthosD'Artagnanweapons
9 Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
10 Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
11 Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
12 Quantifying RBAC Advantage For each job position, let:For all job positions,Number of individuals in job positionNumber of permissions required for job positionRBAC advantageRBAC advantage
13 Example: (D’Artagnon becomes a Musketeer) palaceD'ArtagnanMusketeeruniformweaponspalaceD'Artagnanuniformweapons
14 NIST RBAC ModelRole Hierarchies, e.g, teller inherits employeeConflict of Interest Constraints:Static Separation of Duty: user cannot be authorized for both roles, e.g., teller and auditorDynamic Separation of Duty: user cannot act simultaneously in both roles, e.g., teller and account holderRole Cardinality: maximum number of users authorized for role, e.g., branch manager
17 RBAC Administrative Tools RBAC Admin Tool: user/role and role/role associations (RBAC/Web, NT, RDBMS)RGP-Admin: role/permission associations (NT)AccessMgr: Manipulation of all features of Windows NT ACLsTool building with visual componentsRole Engineering and Diagnostic Tool
25 Role Engineering and Diagnostic Tool: input Number of user/permission associations: 28
26 Role Engineering Tool: role/permission output Number of role/permission associations: 8Number of associations for role hierarchy: 5
27 Role Engineering Tool: user/role output Number of user/role associations: 8Number of associations for role hierarchy: 5Number of role/permission associations: 8 (previous slide)Total associations with RBAC: 21vs.Total user/permission associations: 28(from earlier slide)