Presentation is loading. Please wait.

Presentation is loading. Please wait.

A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.

Published byJose Hill Modified over 10 years ago

Similar presentations

Presentation on theme: "A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project."— Presentation transcript:

1 A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project Members at Seta: Ed Coyne, Charles Youman

2 2 RBAC An alternative to classical MAC and DAC Substantial history and tradition Often used to separate administrative functions Operator Auditor Security Officer User Extend this concept into application domain

3 3 INTERACTION OF RBAC, MAC AND DAC RBAC MACDAC permitted accesses

4 4 POLICY VERSUS MECHANISM Roles are a policy concept Several mechanisms can be used to implement roles Roles Groups Compartments Some mechanisms are better suited than others

5 5 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES

6 6 USERS Users are human beings Each individual should be known as exactly one user

7 7 PRIVILEGES Primitive privileges read, write, append, execute Abstract privileges credit, debit, inquiry Generic privileges auditor

8 8 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES ROLE HIERARCHIES

9 9 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

10 10 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

11 11 RBAC ROLEUSERSPRIVILEGES ROLE HIERARCHIES CONSTRAINTS USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT

12 12 CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context Prerequisite Roles A user must belong to one or more prerequisite roles in order to qualify for possible membership in some other role

13 13 SCALE Hundreds of roles User-role assignment will change frequently Privilege-role assignment will change frequently Role hierarchy will change occasionally

14 14 RBAC SUMMARY RBAC is a sophisticated and multi-dimensional concept Different products will support variations of RBAC (even if standards emerge)

15 15 ANSI/SPARC DATABASE ARCHITECTURE Community View Implementation View External View External View External View

16 16 RBAC ARCHITECTURE Community View Implementation View External View External View External View Implementation View Implementation View

17 17 TOP TWO TIERS Community View External View External View ELIMINATION REFINEMENT

18 18 EXAMPLE REFINEMENT ELIMINATION ROLE HIERARCHY

19 19 REFINEMENT Implementation View Implementation View BOTTOM TWO TIERS Community View ELIMINATION

20 20 IMPLICIT MECHANISM Implementation View Implementation View BOTTOM TWO TIERS Community View EXPLICIT MECHANISM

21 21 IMPLICIT USER ASSIGNMENT USER ROLE HIERARCHY implicit assignments explicit assignment

22 22 EXPLICIT USER ASSIGNMENT USER NO ROLE HIERARCHY explicit assignments explicit assignment

23 23 CONCLUSION Further work is ongoing on RBAC model RBAC architecture Preliminary results are promising

Download ppt "A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
Role Based Access Control

Role Based Access Control
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
ARBAC99 (Model for Administration of Roles)

ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
Institute for Cyber Security

Institute for Cyber Security
ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.

1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS

ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

Similar presentations

Ads by Google