Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.

Published bySophia Roche Modified over 10 years ago

Similar presentations

Presentation on theme: "1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University."— Presentation transcript:

1 1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University

2 2 SACMAT 2002 © Oh and Sandhu 2002 Contents Introduction of ARBAC97 model Problems of URA97 Problems of PRA97 Solution : ARBAC02 model Conclusion

3 3 SACMAT 2002 © Oh and Sandhu 2002 ARBAC97 model Main point of decentralized RBAC administration –How to control proper administration range (or boundary) of each administrative role ARBAC97 model : use role range and prerequisite condition URA97, PRA97

4 4 SACMAT 2002 © Oh and Sandhu 2002 Director (DIR) Project lead 1 (PL1) Production Engineer 1 (PE1) Quality Engineer 1 (QE1) Engineer 1 (E1) Project lead 2 (PL2) Production Engineer 2 (PE2) Quality Engineer 2 (QE2) Engineer 2 (E2) Engineering Department (ED) Employee (E) Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2) Project 1Project 2 Example of RH and administrative RH

5 5 SACMAT 2002 © Oh and Sandhu 2002 Admin. RolePrereq. ConditionRole Range PSO1 PSO2 DSO SSO ED E1 QE1 E1 PE1 ED E2 QE2 E2 PE2 ED PL2 ED PL1 ED E ED [E1, E1] [PE1, PE1] [QE1, QE1] [E2, E2] [PE2, PE2] [QE2, QE2] [PL1, PL1] [PL2, PL2] (ED, DIR) [ED,ED] (ED, DIR] Can-assign Admin. RolePrereq. ConditionRole Range DSO PSO1 PSO2 DIR PL1 QE1 PL1 PE1 PL2 QE2 PL2 PE2 [PL1, PL1] [PL2, PL2] [PE1, PE1] [QE1, QE1] [PE2, PE2] [QE2, QE2] Can-assignp ARBAC97 model Example of can-assign and can-assignp

6 6 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 Characteristics of user-role assignment –Security officer SO1 can assign user U1 to role R2 provided U1 is already member of prerequisite role R1. –Assigned users in R1 are a user pool for SO1 to assign to R2. –R2 can be prerequisite role for other security officers. R2 User pool R1 Can-assign Admin. Role Prerequiste Condition Role Range SO1R1[R2,R2] ………

7 7 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 Characteristics of user-role assignment –Consequently users should be assigned from lowest prerequisite role to higher prerequisite role in the role hierarchy –From can-assign table, we can depict the first URA step as follows : E ED E1 E2 : User pool

8 8 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 URA97 brings about : –UA1. Multi step assign Suppose that new employed engineer John will be assigned to QE1 role. Assign step : assign John to E assign John to ED assign John to E1 assign John to QE1 Higher roles may require more assign step. This may lead to work of two or more security officers.

9 9 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 URA97 brings about : –UA2. Duplicated UA information Suppose that Tom is a member of QE1 role. It means that Tom is a explicit member of E, ED, E1, and QE1. Removing tuple,, and has no effect to Toms access rights. They are need only for administrative purpose. E ED E1 Tom QE1 Tom RoleAssigned user UA table E.. ED.. E1.. QE1 Tom.. Tom.. Tom.. Tom

10 10 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 URA97 brings about : –UA3. Restricted user pool Suppose the company in the example wants to maintain human resource pool H1, H2, and H3. And new policy requires that Production Engineer should be picked from H1 and Quality Engineer should be picked from H2. It is impossible to realize new policy without changing the Role Hierarchy.

11 11 SACMAT 2002 © Oh and Sandhu 2002 Problems of URA97 URA97 brings about : –UA3. Restricted user pool (cont.) In the URA97 model, the user pool is based on the prerequisite roles, and prerequisite roles belong to role hierarchy. Consequently user pool is restricted by role hierarchy. Accommodating real world needs results in complicating the Role Hierarchy

12 12 SACMAT 2002 © Oh and Sandhu 2002 Problems of PRA97 Characteristics of permission-role assignment –Permission-role assignment step is similar to delegation. –The permissions of highest role on the role hierarchy spread down to lower roles by security officer. –Security officer SO1 can assign permission P1 to role R1 when P1 is already member of prerequisite role R2 that is for SO1. –Assigned permissions in R2 are a permission pool for SO1. R2 permission pool R1 Can-assign

13 13 SACMAT 2002 © Oh and Sandhu 2002 Problems of PRA97 Characteristics of permission-role assignment –From can-assignp table, we can represent the first PRA step as follows : Permission pool DIR PL1 PL2 PE1QE1PE2QE2

14 14 SACMAT 2002 © Oh and Sandhu 2002 Problems of PRA97 PRA97 brings about : –PA1. Multi step assign –PA2. Duplicated PA information –PA3. Restricted composition of permission pool Similar to UA1, UA2, and UA3

15 15 SACMAT 2002 © Oh and Sandhu 2002 Problems of PRA97 PRA97 brings about : –PA4. No restriction for permission pool Suppose there exist can-assignp(SO1, R2, [R1,R1]). Then SO1 can assign in R2s any permissions to R1. There is no restriction. How to specify some of permissions are only for R2 ? cannot solve in PRA97 In PRA99 model, it can be solved by immobile membership concept. But it requires additional information about permission pool. permission pool R2 All can be assigned by SO1 R1

16 16 SACMAT 2002 © Oh and Sandhu 2002 Problems of PRA97 PRA97 brings about : –PA5. Lead to undesirable perm i ss i on flow PSO1 can move some permissions of PL1 to QL. But QL is out of range of PSO1. DIR PL1 PE1 QE1 PL2 QE2 PE2 QL Role Range Of PSO1 Role Range Of DSO illegal flow : A Permission

17 17 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Direction –Choosing new base for user pool and permission pool (role hierarchy independent organization structure) –Organization unit is a good container for user pool and permission pool –Organization unit : A group of people and functions (permissions) for achieving given missions. RH user /permission pool RH user /permission pool Org. structure

18 18 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Organization structure as a user pool –Basic organization structure is predefined before access control –Users are pre-assigned to basic organization structure. (by HR officer) Engineering Department (ED) Project 1 (PJ1) Project 2 (PJ2) Production Division (PRD) Purchasing Department (PD) Manufacturing Department (MD) Quality Control (QC) Stock Control (SC)

19 19 SACMAT 2002 © Oh and Sandhu 2002 Organization structure as a permission pool –Permissions are pre-assigned to basic organization structure. (by IT officer) Solution : ARBAC02 Engineering Department (ED) Project1 (PJ1) Project 2 (PJ2) Production Division (PRD) Purchasing Department (PD) Manufacturing Department (MD) Quality Control (QC) Stock Control (SC)

20 20 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Assigned by human resource (HR) group Assigned by information technology (IT) group Users System Resources Org. structure for user pool Org. structure for permission pool Role hierarchy Assign user to role by security admin. group Assign permission to role by security admin. group HR and IT Area Security admin. Area

21 21 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Modification of prerequisite condition –Suppose can-assign(PSO1, E1 QE1, [PE1,PE1]) Redefined in terms of org. unit : can-assign(PSO1, @PJ1 QE1, [PE1,PE1]) PSO can assign users, who are in org. unit PJ1 and not in role QE1, to PE1 To distinguish role and Org. unit name, we use @ in front of Org. unit name

22 22 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Modification of prerequisite condition –Redefine of can-assign table Admin. RolePrereq. ConditionRole Range PSO1 PSO2 DSO SSO ED E1 QE1 E1 PE1 ED E2 QE2 E2 PE2 ED PL2 ED PL1 ED E ED [E1, E1] [PE1, PE1] [QE1, QE1] [E2, E2] [PE2, PE2] [QE2, QE2] [PL1, PL1] [PL2, PL2] (ED, DIR) [ED,ED] (ED, DIR] Can-assign (ARBAC97) Admin. RolePrereq. ConditionRole Range PSO1 PSO2 DSO SSO @PJ1 QE1 @PJ1 PE1 @PJ2 QE2 @PJ2 PE2 @ED PL2 @ED PL1 @ED [PE1, PE1] [QE1, QE1] [PE2, PE2] [QE2, QE2] [PL1, PL1] [PL2, PL2] (ED, DIR) (ED, DIR] Can-assign (ARBAC02)

23 23 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Proposed model solves problems UA1 and UA2 –Avoid multi-step user assignment –Avoid duplicated user assignment information E ED E1 Tom QE1 Tom E ED E1 QE1 PJ1 Tom (ARBAC02) (ARBAC97)

24 24 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Proposed model solves problems UA3 –Suppose the company in the example want to maintain human resource pool H1, H2, and H3. And new policy requires that Production Engineer should be picked from H1 and Quality Engineer should be picked from H2. –In the proposed model, new org. Unit H1, H2, and H3 can be added at proper positions in org. structure. Then change prerequisite condition such like : can-assign(PSO1, PJ1 QE1, [PE1, PE1]) can-assign(PSO1, @H1, [PE1, PE1]) –Requires no change of role hierarchy !

25 25 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Proposed model solves problems PA1~ PA4 Proposed model solves problems PA5 –In the proposed model, common permissions are assigned to lower roles in the role hierarchy, and higher roles get their special permissions. (bottom-up) –This bottom-up style permission-role assignment prevents undesirable permission flows in PA5. DIR PL1 PE1 QE1 PL2 QE2 PE2 QL Role Range Of PSO1 Role Range Of DSO PSO1 cannot assign PL1s any explicitly assigned permissions to QL

26 26 SACMAT 2002 © Oh and Sandhu 2002 Solution : ARBAC02 Users Roles Admini- strative Roles Permi- ssions Admin. Permi- ssions Constraints...... Sessions Role hierarchy Administrative Role hierarchy User Pool unit Permission Pool unit OS-U OS-P

27 27 SACMAT 2002 © Oh and Sandhu 2002 Conclusion ARBAC02 overcomes shortcomings of ARBAC97 ARBAC02 supports flexible user pool and permission pool structure independent from role hierarchy. –In the ARBAC97 model, user pool and permission pool are tightly coupled with role hierarchy. This leads to various problems. ARBAC02 supports bottom-up oriented permission- role assignment –PRA97 model follows top-down approach. It leads to undesirable permission flow.

Download ppt "1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Role Based Access Control

Role Based Access Control
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
ARBAC99 (Model for Administration of Roles)

ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS

ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.

ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.

An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.

Similar presentations

Ads by Google