Presentation is loading. Please wait.

Presentation is loading. Please wait.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Similar presentations


Presentation on theme: "Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003."— Presentation transcript:

1 Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003

2 2 © Ravi Sandhu 2003 ACCESS CONTROL MODELS DAC: Discretionary Access Control, 1971 Source: Academia and research laboratories Predominant in commercial systems in pre-RBAC era, in many flavors Continues to influence modern RBAC systems MAC: Mandatory Access Control, 1971 Source: Military and national security Not widely used even by military DTE: Domain and Type Enforcement, 1985 Source: By product of MAC Still around in niche situations, mostly US military funded CPM: Controlled Propagation Models, 1976 Source: Academic theoreticians (including myself) No real implementations CW: Clark-Wilson, 1987 Source: Commercial sector No real implementations RBAC: Role-based Access Control, 1992 Source: Commercial sector Becoming dominant Needs additional work to keep it viable

3 3 © Ravi Sandhu 2003 ACCESS CONTROL MODELS RBAC Role-based Policy neutral DAC Identity based owner controlled MAC Lattice based label controlled

4 4 © Ravi Sandhu 2003 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

5 5 © Ravi Sandhu 2003 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

6 The RBAC96 Model

7 7 © Ravi Sandhu 2003 ROLE-BASED ACCESS CONTROL (RBAC) A users permissions are determined by the users roles rather than identity or clearance roles can encode arbitrary attributes multi-faceted ranges from very simple to very sophisticated

8 8 © Ravi Sandhu 2003 WHAT IS THE POLICY IN RBAC? RBAC is a framework to help in articulating policy The main point of RBAC is to facilitate security management

9 9 © Ravi Sandhu 2003 RBAC SECURITY PRINCIPLES least privilege separation of duties separation of administration and access abstract operations

10 10 © Ravi Sandhu 2003 RBAC96 IEEE Computer Feb Policy neutral can be configured to do MAC roles simulate clearances (ESORICS 96) can be configured to do DAC roles simulate identity (RBAC98)

11 11 © Ravi Sandhu 2003 WHAT IS RBAC? multidimensional open ended ranges from simple to sophisticated

12 12 © Ravi Sandhu 2003 RBAC CONUNDRUM turn on all roles all the time turn on one role only at a time turn on a user-specified subset of roles

13 13 © Ravi Sandhu 2003 RBAC96 FAMILY OF MODELS RBAC0 BASIC RBAC RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS

14 14 © Ravi Sandhu 2003 RBAC0 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS

15 15 © Ravi Sandhu 2003 PERMISSIONS Primitive permissions read, write, append, execute Abstract permissions credit, debit, inquiry

16 16 © Ravi Sandhu 2003 PERMISSIONS System permissions Auditor Object permissions read, write, append, execute, credit, debit, inquiry

17 17 © Ravi Sandhu 2003 PERMISSIONS Permissions are positive No negative permissions or denials negative permissions and denials can be handled by constraints No duties or obligations outside scope of access control

18 18 © Ravi Sandhu 2003 ROLES AS POLICY A role brings together a collection of users and a collection of permissions These collections will vary over time A role has significance and meaning beyond the particular users and permissions brought together at any moment

19 19 © Ravi Sandhu 2003 ROLES VERSUS GROUPS Groups are often defined as a collection of users A role is a collection of users and a collection of permissions Some authors define role as a collection of permissions

20 20 © Ravi Sandhu 2003 USERS Users are human beings or other active agents Each individual should be known as exactly one user

21 21 © Ravi Sandhu 2003 USER-ROLE ASSIGNMENT A user can be a member of many roles Each role can have many users as members

22 22 © Ravi Sandhu 2003 SESSIONS A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of

23 23 © Ravi Sandhu 2003 PERMISSION-ROLE ASSIGNMENT A permission can be assigned to many roles Each role can have many permissions

24 24 © Ravi Sandhu 2003 MANAGEMENT OF RBAC Option 1: USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer Option 2: Use RBAC to manage RBAC

25 25 © Ravi Sandhu 2003 RBAC1 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES

26 26 © Ravi Sandhu 2003 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

27 27 © Ravi Sandhu 2003 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

28 28 © Ravi Sandhu 2003 PRIVATE ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer Hardware Engineer Software Engineer

29 29 © Ravi Sandhu 2003 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

30 30 © Ravi Sandhu 2003 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

31 31 © Ravi Sandhu 2003 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

32 32 © Ravi Sandhu 2003 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

33 33 © Ravi Sandhu 2003 RBAC3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

34 34 © Ravi Sandhu 2003 CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context

35 35 © Ravi Sandhu 2003 CONSTRAINTS Mutually Exclusive Permissions Static Exclusion: The same role should never be assigned both permissions Dynamic Exclusion: The same role can never hold both permissions in the same context

36 36 © Ravi Sandhu 2003 CONSTRAINTS Cardinality Constraints on User-Role Assignment At most k users can belong to the role At least k users must belong to the role Exactly k users must belong to the role

37 37 © Ravi Sandhu 2003 CONSTRAINTS Cardinality Constraints on Permissions-Role Assignment At most k roles can get the permission At least k roles must get the permission Exactly k roles must get the permission

38 RBAC-MAC-DAC

39 39 © Ravi Sandhu 2003 RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

40 40 © Ravi Sandhu 2003 LBAC: LIBERAL *-PROPERTY H L M1M2 ReadWrite -+ +-

41 41 © Ravi Sandhu 2003 RBAC96: LIBERAL *-PROPERTY HR LR M1RM2R LW HW M1WM2W Read Write - +

42 42 © Ravi Sandhu 2003 RBAC96: LIBERAL *-PROPERTY user xR, user has clearance x user LW, independent of clearance Need constraints session xR iff session xW read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff (O,write) assigned to xW

43 43 © Ravi Sandhu 2003 DAC IN RBAC Each user can create discretionary roles for assigning grantable permissions For true DAC need grantable permissions for each object owned by the user

44 Administrative RBAC ARBAC97

45 45 © Ravi Sandhu 2003 SCALE AND RATE OF CHANGE roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to user-role assignment permission-role assignment Less frequent changes for role hierarchy

46 46 © Ravi Sandhu 2003 ADMINISTRATIVE RBAC ROLES USERS PERMISSIONS... ADMIN ROLES ADMIN PERMISSIONS CAN- MANAGE

47 47 © Ravi Sandhu 2003 ARBAC97 DECENTRALIZES user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)

48 48 © Ravi Sandhu 2003 ADMINISTRATIVE RBAC RBAC2RBAC1 RBAC0 RBAC3 ARBAC2ARBAC1 ARBAC0 ARBAC3

49 49 © Ravi Sandhu 2003 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

50 50 © Ravi Sandhu 2003 EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

51 51 © Ravi Sandhu 2003 URA97 GRANT MODEL: can-assign ARolePrereq RoleRole Range PSO1ED[E1,PL1) PSO2ED[E2,PL2) DSOED(ED,DIR) SSOE[ED,ED] SSOED(ED,DIR]

52 52 © Ravi Sandhu 2003 URA97 GRANT MODEL : can-assign ARolePrereq CondRole Range PSO1ED[E1,E1] PSO1ED & ¬ P1[Q1,Q1] PSO1ED & ¬ Q1[P1,P1] PSO2ED[E2,E2] PSO2ED & ¬ P2[Q2,Q2] PSO2ED & ¬ Q2[P2,P2]

53 53 © Ravi Sandhu 2003 URA97 GRANT MODEL redundant assignments to senior and junior roles are allowed are useful

54 54 © Ravi Sandhu 2003 URA97 REVOKE MODEL WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment

55 55 © Ravi Sandhu 2003 URA97 REVOKE MODEL STRONG REVOCATION revokes explicit membership in a role and its seniors authorized only if corresponding weak revokes are authorized alternatives all-or-nothing revoke within range

56 56 © Ravi Sandhu 2003 URA97 REVOKE MODEL : can-revoke ARoleRole Range PSO1[E1,PL1) PSO2[E2,PL2) DSO(ED,DIR) SSO[ED,DIR]

57 57 © Ravi Sandhu 2003 PERMISSION-ROLE ASSIGNMENT dual of user-role assignment can-assign-permission can-revoke-permission weak revoke strong revoke (propagates down)

58 58 © Ravi Sandhu 2003 PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION ARolePrereq CondRole Range PSO1PL1[E1,PL1) PSO2PL2[E2,PL2) DSOE1 E2[ED,ED] SSOPL1 PL2 [ED,ED] SSOED[E,E]

59 59 © Ravi Sandhu 2003 PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION ARoleRole Range PSO1[E1,PL1] PSO2[E2,PL2] DSO(ED,DIR) SSO[ED,DIR]

60 60 © Ravi Sandhu 2003 ARBAC97 DECENTRALIZES user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)

61 61 © Ravi Sandhu 2003 Range Definitions Rang e Create Range Encap. Range Authority Range

62 RBAC Architectures and Mechanisms

63 63 © Ravi Sandhu 2003 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

64 64 © Ravi Sandhu 2003 SERVER MIRROR ClientServer User-role Authorization Server

65 65 © Ravi Sandhu 2003 SERVER-PULL ClientServer User-role Authorization Server

66 66 © Ravi Sandhu 2003 USER-PULL ClientServer User-role Authorization Server

67 67 © Ravi Sandhu 2003 PROXY-BASED ClientServer Proxy Server User-role Authorization Server

68 68 © Ravi Sandhu 2003 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance


Download ppt "Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003."

Similar presentations


Ads by Google