1. © 2005 Ravi Sandhu www.list.gmu.edu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

2. © 2005 Ravi Sandhu www.list.gmu.edu 2 RBAC96 Model

3. © 2005 Ravi Sandhu www.list.gmu.edu 3 ARBAC97 User-Role Assignment: URA97 Permission-Role Assignment: PRA97 Role-Role Assignment: RRA97 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages 105-135.

4. © 2005 Ravi Sandhu www.list.gmu.edu 4 Example Role Hierarchy

5. © 2005 Ravi Sandhu www.list.gmu.edu 5 Example Administrative Role Hierarchy

6. © 2005 Ravi Sandhu www.list.gmu.edu 6 Abilities, Groups and UP-Roles

7. © 2005 Ravi Sandhu www.list.gmu.edu 7 Four operations Create role Delete role Insert edge Delete edge Authorized by a single relation can-modify More complex operations can be built from these Chief Security Officer can bypass all these controls

8. © 2005 Ravi Sandhu www.list.gmu.edu 8 can-modify not a typo Authority range must be encapsulated To be discussed later

9. © 2005 Ravi Sandhu www.list.gmu.edu 9 Example Role Hierarchy DSOPSO1

10. © 2005 Ravi Sandhu www.list.gmu.edu 10 Semantics of create role Specify immediate parent and child These must be within the can-modify range or be one of the endpoints of the range Immediate parent must be senior to immediate child If junior will introduce cycle If incomparable will introduce a new edge (so introduce the new edge first and then create the new role) Immediate parent and immediate child must constitute a create range (prior to creation) To be discussed later

11. © 2005 Ravi Sandhu www.list.gmu.edu 11 Semantics of delete role Deletion of a role preserves all transitive edges Deletion that causes dangling references is prohibited Prohibit deletion of roles used in can_assign, can_revoke, can_modify OR Deactivate these roles when they are deleted. Inactive roles cannot be activated in a session and new users and permissions cannot be added. Preserve permissions and users in a deleted role Only empty roles can be deleted OR Users pushed down to immediately junior roles and permissions are pushed up to immediately senior roles

12. © 2005 Ravi Sandhu www.list.gmu.edu 12 Semantics of insert edge Edges can be inserted only between incomparable roles Edge insertion must preserve encapsulation of authority ranges To be discussed

13. © 2005 Ravi Sandhu www.list.gmu.edu 13 Semantics of delete edge Edges can be deleted only if they are not transitively implied Deleting an edge preserves transitive edges Some of which will become visible in the Hasse diagram Cannot delete an edge between the endpoints of an authority range To be discussed

14. © 2005 Ravi Sandhu www.list.gmu.edu 14 Edge insertion anomaly DSOPSO1

15. © 2005 Ravi Sandhu www.list.gmu.edu 15 Edge insertion anomaly Edge insertion by PSO1 in range (E1,PL1) impacts relationship between X and Y outside the PSO1 range

16. © 2005 Ravi Sandhu www.list.gmu.edu 16 Edge insertion anomaly Let it happen Do not allow X and Y to be introduced (by DSO) Do not allow PSO1 to insert edge from QE1 to PE1

17. © 2005 Ravi Sandhu www.list.gmu.edu 17 Role Ranges typo

18. © 2005 Ravi Sandhu www.list.gmu.edu Range Definitions Rang e Create Range Encapsulated Range Authority Range

19. © 2005 Ravi Sandhu www.list.gmu.edu 19 Encapsulated Role Ranges typo

20. © 2005 Ravi Sandhu www.list.gmu.edu 20 Encapsulated Role Ranges DSOPSO1 Encapsulated (E1,PL1) (E2,PL2) (ED,DIR) (E,DIR) Non-encapsulated (E,PL1) (E,PL2) (E,E1) (E,E2)

21. © 2005 Ravi Sandhu www.list.gmu.edu 21 Encapsulated Role Ranges Encapsulated (x,y) (r2,y) (B,A) Non-encapsulated (x,y) (B,y)

22. © 2005 Ravi Sandhu www.list.gmu.edu 22 Encapsulated Role Ranges Encapsulated (r2,y) (B,A) (Non-encapsulated (x,y) (B,y)

23. © 2005 Ravi Sandhu www.list.gmu.edu 23 Create Ranges

24. © 2005 Ravi Sandhu www.list.gmu.edu 24 Create Ranges Authority ranges (B,A) (x,y) Create ranges dashed lines --- B is end point of AR immediate (y) A is end point of AR immediate (r3) A is end point of AR immediate (x) these are not create ranges

25. © 2005 Ravi Sandhu www.list.gmu.edu 25 Preserving encapsulation on edge insertion

26. © 2005 Ravi Sandhu www.list.gmu.edu 26 Preserving encapsulation on edge insertion Authority ranges (B,A) (x,y) Insertion of (y,r3) is ok but will prevent future insertion of (r3,x) Likewise insertion of (r3,x) is ok but will prevent future insertion of (y,r3)

27. © 2005 Ravi Sandhu www.list.gmu.edu 27 Edge deletion example

28. © 2005 Ravi Sandhu www.list.gmu.edu 28 Next class Read Jason Crampton and George Loizou. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages 201-231. Available in ACM digital library through GMU. and come prepared to discuss

29. © 2005 Ravi Sandhu www.list.gmu.edu 29 Assignment 1.Prove or give counterexample An authority range is always a create range? If x is an immediate child of y then (x,y) is a create range? 2.Prove or give counterexample If x is an immediate child of y then (x,y) can always be introduced into can-modify as an authority range that is guaranteed to be encapsulated?