Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

Published byMyron Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!"— Presentation transcript:

1 1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact! Institute for Cyber Security

2  Motivation  Background  Proposed Approach  Discussion and Future Work 2 World-Leading Research with Real-World Impact! Outline

3  Attribute Based Access Control provide flexibility and scalabilities for distributed access control  Role based trust management (RT)[Oakland02]  Unified ABAC model (ABAC-alpha) [DBSEC12]  Attribute based Encryption (ABE) [CCS06]  Usage control model (UCON) [TISSEC]  Logical based framework for ABAC [FMSE04], etc.  What is user attribute(credential, certificate, etc.)?  Name, address, country…  ID, clearance… 3 World-Leading Research with Real-World Impact! Motivation

4  Much effort in how to use and store user attributes.  Authorization policy evaluate attribute of subject and object in the request ( s, o ) (ABAC-ALPHA,UCON, Logical based framework for ABAC)  Attribute Encryption (ABE,PKI)  Industry Implementation Standard (XACML, SAML, etc.)  Not enough on user attribute management  Who is authorized to assign user attributes?  Who is authorized to assign value for Salary(Alice)?  Can Bob say that Salary(Alice)=3000?  How should permissions be assigned to administrators?  Manually one by one? No! 4 World-Leading Research with Real-World Impact! Motivation

5 5 World-Leading Research with Real-World Impact! Motivation  Effective user attribute administration model needed  Ease of Administration one of desired features  Role based Access Control  Good candidate for user attribute Administration  Proved ease of administration  Efficient safety analysis  Sizable literature, etc. Users ROLES Permissions E.g. ProgramManager E.g. Assign Alice’s salary to 3000, 6000 9000

6  User role assignment model (URA97) Can_assign( administration role, prerequisite role, role range notation ) Can_revoke(administration role, role range notation )  User attributes  Atomic: User can only have one value for this kind of attribute. E.g. user id, clearance, etc.  Set: User can be assigned multiple values. E.g. role, phonenumber, etc.  Range(ua), attType(ua) 6 World-Leading Research with Real-World Impact! Background

7 7 World-Leading Research with Real-World Impact! Proposed Approach  Generalize Role as one of user attributes  Difference between role and user attribute  Role represents permissions while attributes do not (Alice’s role is Program Chair VS Alice’s age is 23)  Role has hierarchy while attribute may not (Role: CEO is senior role of employee. Attribute: Address)  Difference between atomic user attributes and set-valued user attributes  Assign new value to atomic user attribute automatically remove old value  Add new values to set-valued attribute does not guarantee permissions to delete existing attribute values.

8  Permissions to each administrative role  Add value to set-valued user attributes  Delete value from set-valued attributes  Assign value to atomic-valued attributes  Specify the three permission sets for each role  Add value to set-valued user attributes  Delete value from set-valued attributes  Assign value to atomic-valued attributes 8 World-Leading Research with Real-World Impact! Proposed Approach

9 9 World-Leading Research with Real-World Impact! Proposed Approach(GURA 0 )  Add values to set-valued user attributes: AR : set of administrative roles SUA: set of set-valued user attributes EXPR(sua): logical expression composed of user attribute sua

10 10 World-Leading Research with Real-World Impact! Proposed Approach(GURA 0 )  Delete values from set-valued user attributes: AR: set of administrative roles SUA: set of set-valued user attribute EXPR(sua): logical expression composed of user attribute sua

11 11 World-Leading Research with Real-World Impact! Proposed Approach(GURA 0 )  Assign value to atomic-valued user attributes: AR : set of administrative roles AUA: set of atomic-valued user attributes EXPR(aua): logical expression composed of user attribute aua

12 12 World-Leading Research with Real-World Impact! Language  Common Expression Language  Example: set-valued attributes in GURA 0 EXPR(SUA) is specified using an instance of the above language where

13 13 World-Leading Research with Real-World Impact! Example Employee InvolvedProject Salary PrjLeader1PrjLeader2 PrjManager HumanResourceManager Administrative RolesUsers And User Attributes Add Employee to prj1 and prj2 but not both Add Employee who is not involved in prj2 to prj1 Add Employee who is not involved in prj1 to prj2 Promote the salary of employee whose salary is less than 2000 to 3000, 6000 or 9000

14 14 World-Leading Research with Real-World Impact! Example Employee InvolvedProject Salary PrjLeader1PrjLeader2 PrjManager HumanResourceManager Administrative RolesUsers And User Attribute Add Employee who is not involved in prj2 to prj1 Add Employee who is not involved in prj1 to prj2 Promote the salary of employee whose salary is less than 2000 to 3000, 6000 or 9000

15 15 World-Leading Research with Real-World Impact! Example Employee InvolvedProject Salary PrjLeader1PrjLeader2 PrjManager HumanResourceManager Administrative RolesUsers And User Attribute Add Employee who is not involved in prj1 to prj2 Promote the salary of employee whose salary is less than 2000 to 3000, 6000 or 9000

16 16 World-Leading Research with Real-World Impact! Example Employee InvolvedProject Salary PrjLeader1PrjLeader2 PrjManager HumanResourceManager Administrative RolesUsers And User Attribute Promote the salary of employee whose salary is less than 2000 to 3000, 6000 or 9000

17 17 World-Leading Research with Real-World Impact! Example Employee InvolvedProject Salary PrjLeader1PrjLeader2 PrjManager HumanResourceManager Administrative RolesUsers And User Attribute

18 18 World-Leading Research with Real-World Impact! Proposed Approach(GURA 1 )  Limited Expressive Power  Expression(ua) ONLY composed using the user attribute in context is not enough. Example: PrjLeader1 is only authorized to add employee whose experience with Java is more than 3 years and whose skills include C++.  Least Privilege is not achieved  Expression(ua) CAN NOT restrict users to the least set. Need other user attributes to compose the expression.

19 19 World-Leading Research with Real-World Impact! Proposed Approach(GURA 1 )  Further Generalization EXPR(UA): logical expression composed of all user attribute ua in UA

20 Proposed Approach(GURA 1 )  Further Generalization for GURA 1 :

21 21 World-Leading Research with Real-World Impact! Example  Example using GURA 1

22 22 World-Leading Research with Real-World Impact! Discussions and Future Work  Advantages  Advantages of RBAC inherited  Limitations  Awkward for distributed administration of user attributes  For fine-grained user attribute administration, many roles with slight different set of permissions need to defined.  Future Work  Delegation  Attribute based user attribute management

23 23 World-Leading Research with Real-World Impact! Any Questions? Institute for Cyber Security

Download ppt "1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!"

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Institute for Cyber Security

Institute for Cyber Security
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.

11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.

Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

Similar presentations

Ads by Google