Presentation on theme: "ROLE BASED ACCESS CONTROL"— Presentation transcript:
1ROLE BASED ACCESS CONTROL (RBAC)John BarkleyRBAC Project LeaderSoftware Diagnostics and Conformance TestingNational Institute of Standards and Technology(301)
2ACTIVE PARTICIPANTSSDCT: Rick Kuhn, Bill Majurski,Tony Cincotta, Alan GoldfineCSD: Dave Ferraiolo, Doctor RamaswamyChandramouliGMU: Professor Ravi Sandhu, Jean ParkUM: Doctor Virgil GligorSETA: Ed Coyne, Ravi Sundaram (CRADA)VDG: Serban Gavrila (contractor)
3ROLE BASED ACCESS CONTROL (RBAC) RBAC is an access control mechanism which:Describes complex access control policies.Reduces errors in administration.Reduces cost of administration.
4NIST RBAC Activities NIST RBAC Model (Ferraiolo, Cugini, Kuhn) NIST RBAC Model Implementation for the WWW(RBAC/Web)Administrative tools: RBAC/Web Admin Tool & RGP-AdminFormal description of NIST RBAC Model in PVS(software specification in mathematical language)Test assertions and test softwareCost model and role engineering toolsTwo patent applications and a provisional patent application
5INDUSTRY RECOGNITIONIBM’s patent application for IBM RBAC model cited NISTwork as “closest prior art” (now implemented by Tivoli)Sybase and Secure Computing implemented NIST RBACModelSiemens Nixdorf implemented parts of NIST RBAC Model inTrusted Web and references our work on their Web siteNIST RBAC Model included in Educom IMS SpecificationReceived 1998 Excellence in Technology Transfer Awardfrom Federal Laboratory Consortium
6“I would like to take this opportunity to underscore Page 15 of ITL Brochure“I would like to take this opportunity to underscorethe importance and relevance of research conductedby your laboratory into Role-Based Access Control(RBAC). In the area of security one of the featuresmost requested by Sybase customers has been RBAC.They view this feature as indispensable for the effectivemanagement of large and dynamic user populations.”Thomas J. ParentyDirector, Data and Communications SecuritySybase, Inc.Emeryville, Ca.
7RBAC MECHANISMUsers are associated with roles.Roles are associated with permissions.A user has a permission only if the user has anauthorized role which is associated withthat permission.
8Example: The Three Musketeers (User/Permission Association) AthosAramispalaceuniformPorthosD'Artagnanweapons
9Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
10Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
11Example: The Three Musketeers (RBAC)AthospalacePorthosMusketeerAramisuniformD'ArtagnanweaponsAthosAramispalaceuniformPorthosD'Artagnanweapons
12Quantifying RBAC Advantage For each job position, let:For all job positions,Number of individuals in job positionNumber of permissions required for job positionRBAC advantageRBAC advantage
13Example: (D’Artagnon becomes a Musketeer) palaceD'ArtagnanMusketeeruniformweaponspalaceD'Artagnanuniformweapons
14NIST RBAC ModelRole Hierarchies, e.g, teller inherits employeeConflict of Interest Constraints:Static Separation of Duty: user cannot be authorized for both roles, e.g., teller and auditorDynamic Separation of Duty: user cannot act simultaneously in both roles, e.g., teller and account holderRole Cardinality: maximum number of users authorized for role, e.g., branch manager
17RBAC Administrative Tools RBAC Admin Tool: user/role and role/role associations (RBAC/Web, NT, RDBMS)RGP-Admin: role/permission associations (NT)AccessMgr: Manipulation of all features of Windows NT ACLsTool building with visual componentsRole Engineering and Diagnostic Tool
25Role Engineering and Diagnostic Tool: input Number of user/permission associations: 28
26Role Engineering Tool: role/permission output Number of role/permission associations: 8Number of associations for role hierarchy: 5
27Role Engineering Tool: user/role output Number of user/role associations: 8Number of associations for role hierarchy: 5Number of role/permission associations: 8 (previous slide)Total associations with RBAC: 21vs.Total user/permission associations: 28(from earlier slide)