1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005

2

3 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

4 Role-Based Access Control Physician Nurse Patient Admin Read Medical Record Write Prescription Write Medical Record Read Prescription ⋮ UsersRolesPermissions Formalized by Sandhu et al. in 1996

5 Hierarchical RBAC Operate ⋮ UsersRolesPermissions Interpret X-Ray Write Prescription Read Prescription Read Demographics Physician Patient Universal Radiologist Surgeon

6 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

7 XACML from XML extension language to specify and enforce authorization policies XACML 2.0 approved Feb 2005 XACML provides: – Context-aware security policy language – Policy combination – Extensibility

8 XACML System Design

9 XML Structure

10 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

11 XACML Profile for RBAC Draft v2.0 approved Sept contains – Assigning Role Attributes – Core and Hierarchical RBAC implementation Two Shortcomings: 1. Lacks a clear role assignment specification 2. No mention of permission delegation

12 RBXACML Implementation Role Assignment Policy – Defines which roles are assigned to which subjects Permission Policy Set – Contains all the permissions associated with a role Role Policy Set – Associates a role with a PPS Hierarchy is formed by PPS referencing other PPS’s

13 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

14 Original RBAC: Al-Kahtani presented ABRA in 2002: subject-id = 5 Attribute-Based Role Assignment Physician If subject-id = 5 If holds physician role in highly-trusted remote domain

15 Delegation Giving a portion of one’s authority to another Motivating examples: – Physician to Physician Permissions while on vacation – Physician to Medical Student Permission to read a patient’s record

16 Previous Work in Delegation Sandhu introduced ARBAC – Delegation among role administrators 2000 – Barka proposed RBDM0 – Multi-step delegation in a role hierarchy 2002 – Zhang described RDM2000 – A rule based framework for role-based delegation 2003 – Zhang presented PBDM – Permission-level delegation in a role hierarchy 2004 – Ye pioneered ABDM – Delegation management and constraints

17 Constraining Delegation Which permissions are delegatable – Allow some subset within a role to be delegatable How permissions can be delegated 1. Delegation condition Fulfilled by delegator before he can delegate a permission 2. Delegatee assignment condition Fulfilled by delegatee before a permission is assigned to him

18 Maintaining Hierarchical RBAC Delegation must conform to RBAC requirements – Use standard role definition and assignment – Delegation role assignments are contingent on the delegator’s assignment to the regular role – No user may alter the role hierarchy Multi-step Delegation – Delegation constraints are inherited by all delegation roles Hierarchical Delegation – A delegator may delegate a subset of a role’s inherited roles

19 Revocation Delegation necessitates Revocation Methods: – Constrain role assignment by time period – Explicit revocation by a delegator or admin Multi-step: – If a delegator’s role is revoked, associated delegation roles are revoked

20 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

21 RBAC & CADABRA Implementation Two policy types: – Role Assignment Policy (RAP): rules to assign roles to subjects – Permission Policy (PP): permissions associated with a role Role = { RAP, PP }

22 XACML for CADABRA

23 Authorization Architecture

24 Physician to Medical Student

25 Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Constrained Delegation of Permission Design & Implementation Performance Evaluation

26 Performance Evaluation XML: expressiveness vs. efficiency – Compare role assignment time and authorization time to access time Hospital Scenario: – Users: 50,000 patients, 5,000 staffers – Resources: 50 resource types, 5 actions – Roles: 15 regular roles, 2,000 delegation roles

27 Performance Evaluation Pentium 4 3GHz, 1 GB RAM t Authorization = 71 ms t Role Assignment = 983 ms / 10 = 98 ms t Authorization + t Role Assignment = 169 ms t Portal Access = 703 ms ( t Auth + t Role Assign ) / ( t Access + t Auth + t Role Assign ) = 19 % Analysis: – The additional time for authorization is easily tolerated. – Role-to-User ABRA is not always necessary

28 Conclusion Support complex health system requirements Enhanced XACML’s RBAC profile with CADABRA – Effective policy representation – Dynamic permission definition, assignment, & enforcement – Administrative control over delegation Performance analysis: – Extended XACML is sufficiently expressive and efficient t Authorization + t Role Assignment = 169 ms

29 Future Work Research Directions: – Formalize web-based enterprise request generation – Refine delegation constraints specification and aggregation – Access logging and auditing – Decompose ABRA into user-to-role & role-to-user Research Documentation: – “XACML for RBAC and CaDABRA: Constrained Delegation and Attribute-Based Role Assignment” submitted to SACMAT 2006