Presentation is loading. Please wait.

Presentation is loading. Please wait.

PBDM: A Flexible Delegation Model in RBAC Xinwen Zhang, Sejong Oh George Mason University Ravi Sandhu George Mason University and NSD Security.

Published byLucas Carter Modified over 10 years ago

Similar presentations

Presentation on theme: "PBDM: A Flexible Delegation Model in RBAC Xinwen Zhang, Sejong Oh George Mason University Ravi Sandhu George Mason University and NSD Security."— Presentation transcript:

1 PBDM: A Flexible Delegation Model in RBAC Xinwen Zhang, Sejong Oh George Mason University Ravi Sandhu George Mason University and NSD Security

2 Outline Motivations Related Works PBDM0: user-to-user delegation PBDM1: user-to-user delegation PBDM2: role-to-role delegation Conclusions and future work

3 Motivations Permission level delegations are needed in many cases:

4 Motivations(contd) User-to-user delegations –John delegates some of his permissions to Jenny when he is out of town Role-to-role delegations –A professor can delegate check-email permission to a TA Multi-step delegation and revocation –Jenny can delegate some permissions from John to Jim

5 Related Works RBDM0: –E.Barka et al, NISSC 2000, ACSAC 2000 –A delegation framework –User-to-user delegation –Role-level delegation RDM2000 –L.Zhang et al, SACMAT 2002 –Role-level delegation –Multi-step delegation

6 PBDM0 Permission-based Delegation Model A user-to-user delegation model –John creates a temporary delegation role D1. –John assigns the permission change_schedule" to D1 with permission- role assignment and role PE to D1 with role-role assignment. –John assigns Jenny to D1 with user-role assignment.

7 PBDM0 RR: regular roles DTR: delegation roles Controlled by security administrator: UAR: user-regular role assignment PAR: permission-regular role assignment Controlled by individual user: UAD: user-delegation role assignment PAD: permission-delegation role assignment

8 PBDM0 RuleUsers assigned regular role Pre_conP_rangeM 12341234 PL QE PM PE PJ PD {confirm_program} {change_schedule, PE} {error_report} {check_prod_plan} 1

9 PBDM1 Problems in PBDM0: –A user can create delegation role by his discretion. Invalid permission flow can happen with malicious user. There reason is that there is no security administrator involvement in delegation. –Cannot support role-to-role delegation, since delegation role cannot be assigned to a regular role. PBDM1: –Extension from PBDM0 –Permissions of a role are separated into two parts: regular and delegatable. –Only delegatable permissions can be used to create delegation roles. –User-to-user delegation

10 PBDM1 RR: regular roles DBR: delegatable roles DTR: delegation roles One-to-one map between RR and DBR

11 PBDM1

12 UAR, UAB, PAR, and PAB are managed by security administrator. UAD and PAD are managed by individual user. Revocation options: –By a user: Remove a user from delegatees, that is, revoke the user-delegation role assignment. Remove one or more pieces of permissions from delegation role. Revoke delegation role. –By a security administrator: Remove one or more pieces of permission from a delegatable role to its regular role. Revoke a user from regular role and delegatable role.

13 PBDM2 Extension from PBDM1 A role-to-role delegation model A role is separated into three layers: –Regular role(RR): permissions cannot be delegated. –Fixed delegatable role(FDBR): permission can be delegated. –Temporal delegatable role(TDBR): inherit permissions from delegation roles with role-role assignment(RAD). Delegation roles (DTR) are assigned to temporal delegatable role –Since there is no role hierarchy with TDBR, illegal permission flow will not happen.

14 PBDM2 A delegation role D3 owned by PL and delegated to QE: –Create a temporary delegation role D3 –assign the permission change_schedule" to D3 –assign role PE to D3 –Assign D3 to QE

15 PBDM2 RR, FDBR, TDBR, DTR RRH, FDBRH UAR, UAFB, UATB PAR, PAFB, PADB RAD: delegation role-temporal delegatable role assignment

16 PBDM2 Revocation options: –Remove one or more pieces of permissions from delegation role. –Revoke delegation role owned by a fixed delegatable role. –Remove one or more pieces of permission from a fixed delegatable role to its regular role.

17 Conclusions and Future Work Conclusions: –Present a permission-based delegation model family, PBDM0, PBDM1, and PBDM2. –Support user-to-user and role-to-role delegation –Support multi-step delegation –Support multi-option revocation –Flexible delegation administration Future work: –Constraints in RBAC delegation, such as separation of duty –Delegation management in decentralized environment

Download ppt "PBDM: A Flexible Delegation Model in RBAC Xinwen Zhang, Sejong Oh George Mason University Ravi Sandhu George Mason University and NSD Security."

Similar presentations

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
Role Based Access Control

Role Based Access Control
ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,

SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.

Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.

1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.

1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
ARBAC99 (Model for Administration of Roles)

ARBAC99 (Model for Administration of Roles)
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
How to do Discretionary Access Control Using Roles Ravi Sandhu Qamar Munawer.

How to do Discretionary Access Control Using Roles Ravi Sandhu Qamar Munawer.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Similar presentations

Ads by Google