© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2004 Ravi Sandhu Access Control Models: A perspective

© 2004 Ravi Sandhu 3 Access Matrix Model (Lampson 1971) U r w V F SubjectsSubjects Objects (and Subjects) r w G r rights

© 2004 Ravi Sandhu 4 Access Matrix Model Separates authentication from authorization Rights are persistent These items have come into question in recent times, but that is a topic for another talk. Separates model from implementation Policy versus mechanism This separation continues to be valuable and will be discussed and refined later in this talk.

© 2004 Ravi Sandhu 5 MAC, DAC and RBAC For 25 years ( ) access control was divided into Mandatory Access Control (MAC) Discretionary Access Control (DAC) Since the early-mid 1990s Role-Based Access Control (RBAC) has become a dominant force RBAC subsumes MAC and DAC RBAC is not the final answer BUT is a critical piece of the final answer

© 2004 Ravi Sandhu 6 Mandatory Access Control (MAC) TS S C U Information Flow Dominance Lattice of security labels Rights are determined by security labels (Bell-LaPadula 1971)

© 2004 Ravi Sandhu 7 Mandatory Access Control (MAC) U r w V F SubjectsSubjects Objects (and Subjects) r w G r security label of F must dominate or equal security label of G

© 2004 Ravi Sandhu 8 Discretionary Access Control (DAC) The owner of a resource determines access to that resource The owner is often the creator of the resource Fails to distinguish read from copy This distinction has re-emerged recently under the name Dissemination Control (DCON)

© 2004 Ravi Sandhu 9 Discretionary Access Control (DAC) U r w V F SubjectsSubjects Objects (and Subjects) r w G r

© 2004 Ravi Sandhu 10 Discretionary Access Control (DAC) U r w own V F SubjectsSubjects Objects (and Subjects) r w own G r Rights are determined by the owners

© 2004 Ravi Sandhu 11 Beyond DAC and MAC Many attempts were made Domain-Type enforcement (Boebert-Kain 1985) Clark-Wilson (1987) Chinese Walls (Brewer-Nash 1989) Harrison-Ruzzo-Ullman (1976) Schematic Protection Model (Sandhu 1985) Typed Access Matrix Model (Sandhu 1992) ………………… RBAC solves this problem

© 2004 Ravi Sandhu Role-Based Access Control: The RBAC96 Model Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, Role-Based Access Control Models. IEEE Computer, Volume 29, Number 2, February 1996, pages

© 2004 Ravi Sandhu 13 ROLE-BASED ACCESS CONTROL (RBAC) A users permissions are determined by the users roles rather than identity or clearance roles can encode arbitrary attributes multi-faceted ranges from very simple to very sophisticated

© 2004 Ravi Sandhu 14 Central concept of RBAC ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS

© 2004 Ravi Sandhu 15 WHAT IS THE POLICY IN RBAC? RBAC is a framework to help in articulating policy The main point of RBAC is to facilitate security management

© 2004 Ravi Sandhu 16 RBAC SECURITY PRINCIPLES least privilege separation of duties separation of administration and access abstract operations

© 2004 Ravi Sandhu 17 RBAC96 IEEE Computer Feb Policy neutral can be configured to do MAC roles simulate clearances (ESORICS 96) can be configured to do DAC roles simulate identity (RBAC98)

© 2004 Ravi Sandhu 18 WHAT IS RBAC? multidimensional open ended ranges from simple to sophisticated

© 2004 Ravi Sandhu 19 RBAC CONUNDRUM turn on all roles all the time turn on one role only at a time turn on a user-specified subset of roles

© 2004 Ravi Sandhu 20 RBAC96 FAMILY OF MODELS RBAC0 BASIC RBAC RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS

© 2004 Ravi Sandhu 21 RBAC0 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS

© 2004 Ravi Sandhu 22 PERMISSIONS Primitive permissions read, write, append, execute Abstract permissions credit, debit, inquiry

© 2004 Ravi Sandhu 23 PERMISSIONS System permissions Auditor Object permissions read, write, append, execute, credit, debit, inquiry

© 2004 Ravi Sandhu 24 PERMISSIONS Permissions are positive No negative permissions or denials negative permissions and denials can be handled by constraints No duties or obligations outside scope of access control

© 2004 Ravi Sandhu 25 ROLES AS POLICY A role brings together a collection of users and a collection of permissions These collections will vary over time A role has significance and meaning beyond the particular users and permissions brought together at any moment

© 2004 Ravi Sandhu 26 ROLES VERSUS GROUPS Groups are often defined as a collection of users A role is a collection of users and a collection of permissions Some authors define role as a collection of permissions

© 2004 Ravi Sandhu 27 USERS Users are human beings or other active agents Each individual should be known as exactly one user

© 2004 Ravi Sandhu 28 USER-ROLE ASSIGNMENT A user can be a member of many roles Each role can have many users as members

© 2004 Ravi Sandhu 29 SESSIONS A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of

© 2004 Ravi Sandhu 30 PERMISSION-ROLE ASSIGNMENT A permission can be assigned to many roles Each role can have many permissions

© 2004 Ravi Sandhu 31 MANAGEMENT OF RBAC Option 1: USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer Option 2: Use RBAC to manage RBAC

© 2004 Ravi Sandhu 32 RBAC1 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES

© 2004 Ravi Sandhu 33 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

© 2004 Ravi Sandhu 34 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

© 2004 Ravi Sandhu 35 PRIVATE ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer Hardware Engineer Software Engineer

© 2004 Ravi Sandhu 36 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

© 2004 Ravi Sandhu 37 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

© 2004 Ravi Sandhu 38 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

© 2004 Ravi Sandhu 39 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

© 2004 Ravi Sandhu 40 RBAC3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

© 2004 Ravi Sandhu 41 CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context

© 2004 Ravi Sandhu 42 CONSTRAINTS Mutually Exclusive Permissions Static Exclusion: The same role should never be assigned both permissions Dynamic Exclusion: The same role can never hold both permissions in the same context

© 2004 Ravi Sandhu 43 CONSTRAINTS Cardinality Constraints on User-Role Assignment At most k users can belong to the role At least k users must belong to the role Exactly k users must belong to the role

© 2004 Ravi Sandhu 44 CONSTRAINTS Cardinality Constraints on Permissions-Role Assignment At most k roles can get the permission At least k roles must get the permission Exactly k roles must get the permission

© 2004 Ravi Sandhu The NIST-ANSI and (hopefully) soon- to-be ISO RBAC Standard Model David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security, Volume 4, Number 3, August 2001, pages

© 2004 Ravi Sandhu 46 The NIST-ANSI-ISO RBAC Model Adds much needed detail and consensus agreement to the RBAC96 model and other contemporary models Focuses on areas where consensus agreement exists and commercial implementations have been demonstrated Leaves many important areas for future work Eventual goal is much more ambitious Test suite for conformance testing

© 2004 Ravi Sandhu 47 RBAC96 FAMILY OF MODELS RBAC0 BASIC RBAC RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS

© 2004 Ravi Sandhu 48 The NIST-ANSI-ISO RBAC Model

© 2004 Ravi Sandhu 49 The NIST-ANSI-ISO RBAC Model Additional details Administrative Functions Supporting System Functions Review Functions

© 2004 Ravi Sandhu 50 Core RBAC

© 2004 Ravi Sandhu 51 Core RBAC: Administrative Functions AddUser DeleteUser AddRole DeleteRole AssignUser DeassignUser Grant-Permission Revoke-Permission

© 2004 Ravi Sandhu 52 Core RBAC: Supporting System Functions CreateSession AddActiveRole DropActiveRole CheckAccess

© 2004 Ravi Sandhu 53 Core RBAC: Review Functions Required AssignedUsers AssignedRoles Optional RolePermissions UserPermissions SessionRoles SessionPermissions RoleOperationsOnObject SessionOperationsOnObject Role-permission review is optional Role-user review is required

© 2004 Ravi Sandhu 54 Hierarchical RBAC

© 2004 Ravi Sandhu 55 Limited Hierarchies

© 2004 Ravi Sandhu 56 Limited Hierarchies

© 2004 Ravi Sandhu 57 General Hierarchies

© 2004 Ravi Sandhu 58 Inheritance versus Activation Hierarchy

© 2004 Ravi Sandhu 59 Inheritance versus Activation Hierarchy Inheritance hierarchy Activating Director Role also activates all junior roles (by inheritance of permissions) Violates least privilege Activation hierarchy Activating Director Role does not activate junior roles (there is no inheritance of permissions) Junior roles must be explicitly activated Preserves least privilege but is less automated

© 2004 Ravi Sandhu 60 Constrained RBAC: Static Separation of Duties

© 2004 Ravi Sandhu 61 Constrained RBAC: Dynamic Separation of Duties

© 2004 Ravi Sandhu MAC and DAC in RBAC Sylvia Osborn, Ravi Sandhu and Qamar Munawer. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages

© 2004 Ravi Sandhu 63 MAC H L M1M2 ReadWrite -+ +-

© 2004 Ravi Sandhu 64 MAC in RBAC96 HR LR M1RM2R LW HW M1WM2W Read Write - +

© 2004 Ravi Sandhu 65 MAC in RBAC96 user xR, user has clearance x user LW, independent of clearance Need constraints session xR iff session xW in a session exactly one read role must be activated, and this cannot be changed read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff (O,write) assigned to xW

© 2004 Ravi Sandhu 66 DAC in RBAC96 Construction is more complex Requires multiple roles for every object Revocation Grant-dependent revocation is harder to handle Grant-independent revocation is easier to handle

© 2004 Ravi Sandhu 67 MAC and DAC in the NIST-ANSI-ISO Model RBAC96 constructions use cardinality constraints in addition to Static and Dynamic separation of duties These constructions are not applicable to NIST- ANSI-ISO RBAC model Can NIST-ANSI-ISO RBAC model do MAC and DAC? With extensions: yes Without extensions: probably not

© 2004 Ravi Sandhu Administrative RBAC: ARBAC97 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages

© 2004 Ravi Sandhu EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

© 2004 Ravi Sandhu EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

© 2004 Ravi Sandhu 71 URA97 GRANT MODEL: can-assign ARolePrereq RoleRole Range PSO1ED[E1,PL1) PSO2ED[E2,PL2) DSOED(ED,DIR) SSOE[ED,ED] SSOED(ED,DIR]

© 2004 Ravi Sandhu 72 URA97 GRANT MODEL redundant assignments to senior and junior roles are allowed are useful

© 2004 Ravi Sandhu 73 URA97 REVOKE MODEL WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment

© 2004 Ravi Sandhu 74 URA97 REVOKE MODEL STRONG REVOCATION revokes explicit membership in a role and its seniors authorized only if corresponding weak revokes are authorized alternatives –all-or-nothing –revoke within range

© 2004 Ravi Sandhu 75 URA97 REVOKE MODEL : can-revoke ARoleRole Range PSO1[E1,PL1) PSO2[E2,PL2) DSO(ED,DIR) SSO[ED,DIR]

© 2004 Ravi Sandhu 76 PERMISSION-ROLE ASSIGNMENT dual of user-role assignment can-assign-permission can-revoke-permission weak revoke strong revoke (propagates down)

© 2004 Ravi Sandhu 77 PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN- PERMISSION ARolePrereq CondRole Range PSO1PL1[E1,PL1) PSO2PL2[E2,PL2) DSOE1 E2[ED,ED] SSOPL1 PL2 [ED,ED] SSOED[E,E]

© 2004 Ravi Sandhu 78 PERMISSION-ROLE ASSIGNMENT CAN-REVOKE- PERMISSION ARoleRole Range PSO1[E1,PL1] PSO2[E2,PL2] DSO(ED,DIR) SSO[ED,DIR]

© 2004 Ravi Sandhu OM-AM and RBAC

© 2004 Ravi Sandhu 80 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

© 2004 Ravi Sandhu 81 LAYERS AND LAYERS Multics rings Layered abstractions Waterfall model Network protocol stacks Napolean layers RoFi layers OM-AM etcetera

© 2004 Ravi Sandhu 82 OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels AssuranceAssurance

© 2004 Ravi Sandhu 83 OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? How? Owner-based discretion numerous ACLs, Capabilities, etc AssuranceAssurance

© 2004 Ravi Sandhu 84 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

© 2004 Ravi Sandhu 85 Server-Pull Architecture ClientServer User-role Authorization Server

© 2004 Ravi Sandhu 86 User-Pull Architecture ClientServer User-role Authorization Server

© 2004 Ravi Sandhu 87 Proxy-Based Architecture ClientServer Proxy Server User-role Authorization Server

© 2004 Ravi Sandhu 88 RBAC Mechanisms RBAC can be implemented using Secure cookies: user-pull architecture X.509 certificates: user-pull or server-pull architectures

© 2004 Ravi Sandhu Other RBAC Research and Results

© 2004 Ravi Sandhu 90 RBAC Research (dates are approximate) The early NIST model: Ferraiolo et al 1992 onwards Role-Graph Model: Osborn et al 1994 onwards OASIS model and architecture: Moody et al 1994 onwards Trust Management: Herzberg, Li, Winsborough, et al 1996 onwards Temporal RBAC: Bertino et al 1998 onwards Constraint languages: Ahn and Sandhu, 2000 Delegation in RBAC: Barka, Sandhu, Ahn et al 2000 onwards RBAC and workflow systems: Atluri, Sandhu, Ahn, Park et al 1998 onwards RBAC administration: Kern, Sandhu, Oh, Moffett et al 1998 onwards RBAC engineering: Thomsen, Kern, Epstein, Sandhu et al 2000 onwards Context-aware RBAC: Covington et al, 2000 onwards Rule-based RBAC: Al-Khatani and Sandhu, 2002 onwards ………………….

© 2004 Ravi Sandhu Ongoing and Future Work in RBAC

© 2004 Ravi Sandhu 92 Research Challenges Automated RBAC RBAC engineering Formal models for RBAC Analysis of RBAC policies Integration with attribute-based access control RBAC in pervasive and ad hoc environments Cross-domain RBAC ………….