We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byNathan Bennett
Modified over 3 years ago
© 2005 Ravi Sandhu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University
© 2005 Ravi Sandhu 2 RBAC96 Model
© 2005 Ravi Sandhu 3 ARBAC97 User-Role Assignment: URA97 Permission-Role Assignment: PRA97 Role-Role Assignment: RRA97 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages
© 2005 Ravi Sandhu 4 Example Role Hierarchy
© 2005 Ravi Sandhu 5 Example Administrative Role Hierarchy
© 2005 Ravi Sandhu 6 Abilities, Groups and UP-Roles
© 2005 Ravi Sandhu 7 Four operations Create role Delete role Insert edge Delete edge Authorized by a single relation can-modify More complex operations can be built from these Chief Security Officer can bypass all these controls
© 2005 Ravi Sandhu 8 can-modify not a typo Authority range must be encapsulated To be discussed later
© 2005 Ravi Sandhu 9 Example Role Hierarchy DSOPSO1
© 2005 Ravi Sandhu 10 Semantics of create role Specify immediate parent and child These must be within the can-modify range or be one of the endpoints of the range Immediate parent must be senior to immediate child If junior will introduce cycle If incomparable will introduce a new edge (so introduce the new edge first and then create the new role) Immediate parent and immediate child must constitute a create range (prior to creation) To be discussed later
© 2005 Ravi Sandhu 11 Semantics of delete role Deletion of a role preserves all transitive edges Deletion that causes dangling references is prohibited Prohibit deletion of roles used in can_assign, can_revoke, can_modify OR Deactivate these roles when they are deleted. Inactive roles cannot be activated in a session and new users and permissions cannot be added. Preserve permissions and users in a deleted role Only empty roles can be deleted OR Users pushed down to immediately junior roles and permissions are pushed up to immediately senior roles
© 2005 Ravi Sandhu 12 Semantics of insert edge Edges can be inserted only between incomparable roles Edge insertion must preserve encapsulation of authority ranges To be discussed
© 2005 Ravi Sandhu 13 Semantics of delete edge Edges can be deleted only if they are not transitively implied Deleting an edge preserves transitive edges Some of which will become visible in the Hasse diagram Cannot delete an edge between the endpoints of an authority range To be discussed
© 2005 Ravi Sandhu 14 Edge insertion anomaly DSOPSO1
© 2005 Ravi Sandhu 15 Edge insertion anomaly Edge insertion by PSO1 in range (E1,PL1) impacts relationship between X and Y outside the PSO1 range
© 2005 Ravi Sandhu 16 Edge insertion anomaly Let it happen Do not allow X and Y to be introduced (by DSO) Do not allow PSO1 to insert edge from QE1 to PE1
© 2005 Ravi Sandhu 17 Role Ranges typo
© 2005 Ravi Sandhu Range Definitions Rang e Create Range Encapsulated Range Authority Range
© 2005 Ravi Sandhu 19 Encapsulated Role Ranges typo
© 2005 Ravi Sandhu 20 Encapsulated Role Ranges DSOPSO1 Encapsulated (E1,PL1) (E2,PL2) (ED,DIR) (E,DIR) Non-encapsulated (E,PL1) (E,PL2) (E,E1) (E,E2)
© 2005 Ravi Sandhu 21 Encapsulated Role Ranges Encapsulated (x,y) (r2,y) (B,A) Non-encapsulated (x,y) (B,y)
© 2005 Ravi Sandhu 22 Encapsulated Role Ranges Encapsulated (r2,y) (B,A) (Non-encapsulated (x,y) (B,y)
© 2005 Ravi Sandhu 23 Create Ranges
© 2005 Ravi Sandhu 24 Create Ranges Authority ranges (B,A) (x,y) Create ranges dashed lines --- B is end point of AR immediate (y) A is end point of AR immediate (r3) A is end point of AR immediate (x) these are not create ranges
© 2005 Ravi Sandhu 25 Preserving encapsulation on edge insertion
© 2005 Ravi Sandhu 26 Preserving encapsulation on edge insertion Authority ranges (B,A) (x,y) Insertion of (y,r3) is ok but will prevent future insertion of (r3,x) Likewise insertion of (r3,x) is ok but will prevent future insertion of (y,r3)
© 2005 Ravi Sandhu 27 Edge deletion example
© 2005 Ravi Sandhu 28 Next class Read Jason Crampton and George Loizou. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages Available in ACM digital library through GMU. and come prepared to discuss
© 2005 Ravi Sandhu 29 Assignment 1.Prove or give counterexample An authority range is always a create range? If x is an immediate child of y then (x,y) is a create range? 2.Prove or give counterexample If x is an immediate child of y then (x,y) can always be introduced into can-modify as an authority range that is guaranteed to be encapsulated?
ARBAC 97 (ADMINISTRATIVE RBAC) Ravi Sandhu Venkata Bhamidipati Ed Coyne Srinivas Ganta Qamar Munawer Charles Youman.
© 2005 Ravi Sandhu Administrative Scope (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George.
INFS 767 Fall 2003 Administrative RBAC ARBAC97 Prof. Ravi Sandhu.
ARBAC99 (Model for Administration of Roles) Ravi Sandhu Qamar Munawer George Mason University Laboratory for Information Security Technology
Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:
© 2005 Ravi Sandhu Administrative Scope (continued) (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
© 2005 Ravi Sandhu Permissions and Inheritance (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
© 2005 Ravi Sandhu Role Usage and Activation Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
1 Integrify 5.0 Tutorial : Creating a New Process In this tutorial, we will show you how to: Create a new process Add different task types into our process.
Microsoft Office Illustrated Fundamentals Unit K: Working with Data.
Administrative Scope and Role-Based Administration Jason Crampton Information Security Group Royal Holloway, University of London.
Copyright © 2003 Pearson Education, Inc. Slide 1.
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
1 MySQL Access Privilege System. 2 What the Privilege System Does? The primary function of the MySQL privilege system is to authenticate a user connecting.
Services Course Windows Live SkyDrive Participant Guide.
© Paradigm Publishing, Inc Access 2010 Level 1 Unit 1Creating Tables and Queries Chapter 2Creating Relationships between Tables.
Page 1 of 30 To the Create Assignment Request Online Training Course An assignment request is created by an assignor to initiate the electronic assignment.
Professional Profiles Module 3 1. Objectives In this module you will learn: Professional Profile basics How to create a Professional Profile How to add.
© 2017 SlidePlayer.com Inc. All rights reserved.