Presentation is loading. Please wait.

Presentation is loading. Please wait.

SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,

Similar presentations


Presentation on theme: "SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,"— Presentation transcript:

1 SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security, Inc. & George Mason University

2 SACMAT 03© Mohammad Al-Kahtani2 Introduction Role-Based Access Control (RBAC): A proven alternative to DAC and MAC RBAC basic components: 1. Users 2. Roles 3. Permissions Role Hierarchy Users (UA) User Assignment (PA) Permission Assignment Roles Permiss- ions

3 SACMAT 03© Mohammad Al-Kahtani3 Introduction In RBAC, user-to-role assignment is done manually. Many enterprises have huge customer bases: Banks Utilities companies Popular web sites In this environment, manual assignment becomes a formidable task. RBAC is modified to allow automatic user-role assignment based on authorization rules.

4 SACMAT 03© Mohammad Al-Kahtani4 Introduction The modified RBAC is called RB-RBAC: Rule-Based RBAC. Authorization rule structure: RB-RBAC rules are in BNF notation. Constraints Attributes Expression Roles

5 SACMAT 03© Mohammad Al-Kahtani5 RB-RBAC Model Attributes Expressions: 1. Expressed in RB-RBAC language 2. Constitute LHS of authorization rules Attributes Values: 1. Stored locally 2. Provided by attribute servers 3. Other means Attributes Expressions Users Roles Permissions Attributes values

6 SACMAT 03© Mohammad Al-Kahtani6 Analysis of RB-RBAC Seniority Relations among authorization rules Rule i : Rule j : ae i ae j Rule i Rule j Attributes Expression ae i Roles Logically implies Attributes Expression ae j

7 SACMAT 03© Mohammad Al-Kahtani7 Analysis of RB-RBAC Example: Attribute ExpressionsRolesSeniority ae 1 = Salary > 1000 Λ age > 50r1r1 ae 1 ae 2, ae 1 ae 3, ae 1 ae 4 ae 2 = Salary > 1000 Λ age > 40r2r2 ae 2 ae 4 ae 2 ae 3 ae 3 = ( Salary 1000 V age 40)r3r3 ae 3 ae 4 ae 3 ae 2 ae 4 = Salary > 400r4r4 ae 5 = Age > 60r5r5 Not related to any attribute expression

8 SACMAT 03© Mohammad Al-Kahtani8 Analysis of RB-RBAC Example: (Continued) The seniority relations among the rules is reflected as a hierarchy among the attribute expressions of the rules. These relations induced a role hierarchy (IRH) among the roles produced by these rules. ae 1 ae 3 ae 2 ae 4 ae 5

9 SACMAT 03© Mohammad Al-Kahtani9 Analysis of RB-RBAC Example: (Continued) To assemble the IRH, we say r i is senior to r j if the following holds: ( ae g ) [r i RHS(ae g ) ( ae h ) [(ae g ae h ) Λ r j RHS(ae h )]] where RHS(ae g ) is a function that returns the role set produced by attribute expression ae g. r1r1 r3r3 r2r2 r4r4 r5r5

10 SACMAT 03© Mohammad Al-Kahtani10 Analysis of RB-RBAC Example: (Continued) In assembling the IRH, roles produced by equivalent attributes expressions may be: a.Grouped under one rule (Figure a): No impact on functionality. b.Consolidated into one role (Figure b): May not always be preferred from a functional perspective. r1r1 r 2,r 3 r4r4 r5r5 (a) r1r1 r6r6 r4r4 r5r5 (b)

11 SACMAT 03© Mohammad Al-Kahtani11 Analysis of RB-RBAC Given Role Hierarchy (GRH) vs. IRH GRH reflects the current business practice of an enterprise. Inheritance of permissions flows upward in the GRH. Users inheritance flows downward in the IRH. r1r1 r6r6 r9r9 IRH r2r2 r 10 Flow of user-role inheritance: r 2 inherits r 1 r8r8 r5r5 r 11 r 12 r 13 r1r1 r3r3 r6r6 r4r4 r2r2 r7r7 GRH Flow of permission-role inheritance: r 1 inherits r 2 r5r5 r 11 r 12 r 13

12 SACMAT 03© Mohammad Al-Kahtani12 Analysis of RB-RBAC Discrepancies between IRH and GRH Ideally, IRH and GRH should be mirror images of each other. In reality, discrepancies may occur. Types of discrepancies ( using IRH as the reference ): 1.Missing Nodes 2.Additional Nodes 3.Missing Edges 4.Additional Edges 5.Inconsistency

13 SACMAT 03© Mohammad Al-Kahtani13 Analysis of RB-RBAC Discrepancies between IRH and GRH 1. Missing Nodes a.Leaf Node: r 7Leaf Node Functional Impact: None Reconciliation Measure: Delete the node and assign its permissions to its parents in GRH.

14 SACMAT 03© Mohammad Al-Kahtani14 Analysis of RB-RBAC Discrepancies between IRH and GRH 1. Missing Nodes a.Leaf Node b.Internal Node: r 3Internal Node Functional Impact: None Reconciliation Measure : Delete the node from GRH and assign its permissions to its parents

15 SACMAT 03© Mohammad Al-Kahtani15 Analysis of RB-RBAC Discrepancies between IRH and GRH 1. Missing Nodes a.Leaf Node b.Internal Node c.Stand-alone Node: r 4Stand-alone Node Functional Impact: Loss of functionality may occur. Reconciliation Measure: Modify the authorization rules via modifying the security policy.

16 SACMAT 03© Mohammad Al-Kahtani16 Analysis of RB-RBAC Discrepancies between IRH and GRH 1. Missing Nodes a.Leaf Node b.Internal Node c.Stand-alone Node d.Root Node: (assume r 1 is missing in IRH) r 1Root Node Functional Impact: Loss of r 1 functionality. Reconciliation: Modify the authorization rules via modifying the security policy.

17 SACMAT 03© Mohammad Al-Kahtani17 Analysis of RB-RBAC Discrepancies between IRH and GRH 2. Additional Nodes a.Leaf Node: r 8Leaf Node Functional Impact: None Reconciliation: Delete the node from IRH or modify GRH by adding r 8. IRH provides an insight: r8 permissions its parents permission

18 SACMAT 03© Mohammad Al-Kahtani18 Analysis of RB-RBAC Discrepancies between IRH and GRH 2. Additional Nodes a.Leaf Node b.Internal Node: r 10Internal Node Functional Impact: If r 10 has one child, then it is redundant. Reconciliation Measure: Delete r 10 from IRH and modify the policy to produce its child e.g. r 5 Or add r 10 to GRH such that: r5 permission r10 permission r2 permission If r 10 has more than one child, then add to GRH with: r 10 permissions = its childrens permissions

19 SACMAT 03© Mohammad Al-Kahtani19 Analysis of RB-RBAC Discrepancies between IRH and GRH 2. Additional Nodes a.Leaf Node b.Internal Node c.Stand-alone Node: r 9Stand-alone Node Functional Impact: None Reconciliation: Delete the node and modify the security policy so that authorization rules do not produce this role.

20 SACMAT 03© Mohammad Al-Kahtani20 Analysis of RB-RBAC Discrepancies between IRH and GRH 2. Additional Nodes a.Leaf Node b.Internal Node: c.Stand-alone Node d.Root Node: r 13Root Node Functional Impact: If r 13 has a single child, r 13 is redundant. Reconciliation: Delete r 13 from IRH, and the policy must be modified to produced its child instead. If r 13 has more than one child, then add it to GRH: r 13 permission = r 13 child nodes permissions

21 SACMAT 03© Mohammad Al-Kahtani21 Analysis of RB-RBAC Discrepancies between IRH and GRH 3.Missing Edges: r 1 - r 11Missing Edges Functional Impact: None Reconciliation: The enterprise business practice sees a functional relation between r 1 and r 11. However, the security policy does not capture this so it must be modified.

22 SACMAT 03© Mohammad Al-Kahtani22 Analysis of RB-RBAC Discrepancies between IRH and GRH 4.Additional Edges: r 1 - r 12Additional Edges Functional Impact: None Reconciliation: Modify the permissions of r 1 to include that of r 12 if the two hierarchies must be compatible.

23 SACMAT 03© Mohammad Al-Kahtani23 Analysis of RB-RBAC Discrepancies between IRH and GRH 5. Inconsistency: Normally, user-role assignment inheritance and permission-role inheritance flow in opposite directions. Figure (a): (r 2 r 3 ) r 2 users have (r 2 permissions r 3 permissions) r1r1 (a) IRH r2r2 (b) GRH r3r3 r1r1 r3r3 r2r2 (c) Consolidated IRH and GRH r1r1 r2r2 r3r3

24 SACMAT 03© Mohammad Al-Kahtani24 Analysis of RB-RBAC Discrepancies between IRH and GRH 5. Inconsistency: Figure (b): (r 2 r 3 ) r 3 users have (r 2 permissions r 3 permissions) r1r1 (a) IRH r2r2 (b) GRH r3r3 r1r1 r3r3 r2r2 (c) Consolidated IRH and GRH r1r1 r2r2 r3r3

25 SACMAT 03© Mohammad Al-Kahtani25 Analysis of RB-RBAC Discrepancies between IRH and GRH 5. Inconsistency: Figure (c): The inconsistency manifests itself in the form of double arrows heading in the same direction between r 2 and r 3. The enterprise business practice must be modified to remove this inconsistency. r1r1 (a) IRH r2r2 (b) GRH r3r3 r1r1 r3r3 r2r2 (c) Consolidated IRH and GRH r1r1 r2r2 r3r3

26 SACMAT 03© Mohammad Al-Kahtani26 Conclusion Seniority relations among authorization rules induce a role hierarchy (IRH). IRH is a useful tool to check the compliance of current business practices to a given security policy. IRH allows insight into what permissions to give to a specific role which, in turn, assists in drawing lines of responsibility and authority.


Download ppt "SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,"

Similar presentations


Ads by Google