1. 1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University {e.barka, sandhu}@isse.gmu.edu www.list.gmu.edu

2. 2 Introduction What is delegation? Forms of delegation Our focus RBAC96 is the base for our work

3. 3 What is delegation? An active entity in a system delegates authority to another active entity to carry out some function on behalf of the former Active entities –Human being –Computer –Software agent –Process –etc.

4. 4 Forms of delegation human to human Human to machine Machine to machine Perhaps even machine to human

5. 5 Human-to human role-based delegation A user who is a member of a role to delegate his/her role to another user who belongs to some other role.

6. 6 The RBAC96 Model

7. 7 Example of role Hierarchy Project lead Production Engineer Quality Engineer Engineering Project Lead > Quality Engineer Quality Engineer > engineering Production engineer Quality engineer

8. 8 The RBDM Framework Identified a number of characteristics related to delegation between humans, – Permanence –Monotonicity –Administration –Levels of delegation –Multiple delegation –Bilateral agreements –Revocation

9. 9 Permanence Weather or not the delegating role member looses membership in the delegating role. –Permanent: is permanently replacement by the delegate user delegating user cant get the role back Delegate member assumes full power in the role –Temporary: expires with time or by revocation Delegating user maintain responsibility over the behavior of the delegate user in the delegated role

10. 10 Monotonicity Weather or not the delegating role member looses the power in the delegating role. –Monotonic: Upon delegation, the delegating user maintains his power in that role Can override any action by the delegate user –Non-monotonic: During delegation, the delegating user looses his power in the delegated role Never looses the revoking permissions Regains full power upon delegation expiration

11. 11 Totality Size of the delegated permission in a role –Total: delegating all the permissions assigned to the role –Partial: delegating only subset of the role Easier to address in hierarchical roles

12. 12 Administration who administer the delegation –Self-administered The delegating user carryout the actual delegation process –Agent-based A third party conducts the actual delegation Needed when the delegating user is not available

13. 13 Levels of delegation How many times can the role be further delegated –Single-step Delegation The role can be delegated only once –Multi-step delegation The delegated role is further delegated Adds a lots of complexities

14. 14 Multiple delegation Number of people to whom a delegating role member can delegate at any given time. –To a single person Role is delegated to only one person at a time –To multiple people simultaneously Role is delegated to more than one person at a time Introduces accountability issues

15. 15 Bilateral agreements Both parties have to agree on the delegation

16. 16 Revocation The process by which a delegating user take away the privileges delegated to another user –Cascading revocation Usually a concern in the case of the two step delegation – grant-dependency revocation Who can revoke –Only the delegating user can revoke –Any member of the delegating role can revoke

17. 17

18. 18 Models in this framework Permanent delegation –RBDM-PD, work in progress Temporary delegation –self administered RBDM-FR, NISSC 2000 RBDM-HR, NISSC 2000 –Agent-based ABEDM, work in progress

19. 19 Conclusion Identified a number of characteristic related to delegation Used a systematic approach to reduce the large number of possibilities to some useful cases Used the reduced cases to build delegation models

20. 20 Questions?