ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)

Ravi Sandhu

Venkata Bhamidipati

Ed Coyne

Srinivas Ganta

Qamar Munawer

Charles Youman

2© Ravi Sandhu 1997

ARBAC97 DECENTRALIZES

user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy

groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)


ADMINISTRATIVE RBAC

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CAN-MANAGE


ADMINISTRATIVE RBAC

RBAC2RBAC1

RBAC0

RBAC3

ARBAC2ARBAC1

ARBAC0

ARBAC3


EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1


EXAMPLE ADMINISTRATIVE ROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)


USER-ROLE ASSIGNMENTCAN-ASSIGN-USER

ARole Prereq Role Role Range

PSO1 ED [E1,PL1)

PSO2 ED [E2,PL2)

DSO ED (ED,DIR)

SSO E [ED,ED]

SSO ED (ED,DIR]


USER-ROLE ASSIGNMENT CAN-ASSIGN-USER

ARole Prereq Cond Role Range

PSO1 ED [E1,E1]

PSO1 ED & ¬ P1 [Q1,Q1]

PSO1 ED & ¬ Q1 [P1,P1]

PSO2 ED [E2,E2]

PSO2 ED & ¬ P2 [Q2,Q2]

PSO2 ED & ¬ Q2 [P2,P2]


USER-ROLE ASSIGNMENT CAN-REVOKE-USER

ARole Role Range

PSO1 [E1,PL1)

PSO2 [E2,PL2)

DSO (ED,DIR)

SSO [ED,DIR]


USER-ROLE ASSIGNMENT REVOCATION

WEAK REVOCATION revokes explicit membership only

STRONG REVOCATION revokes explicit and implicit membership revocation propagates upwards to senior

roles defined in terms of weak revoke


PERMISSION-ROLE ASSIGNMENT

dual of user-role assignment can-assign-permission

can-revoke-permission weak revoke

strong revoke (propagates down)


PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION

ARole Prereq Cond Role Range

PSO1 PL1 [E1,PL1)

PSO2 PL2 [E2,PL2)

DSO E1 E2 [ED,ED]

SSO PL1 PL2 [ED,ED]

SSO ED [E,E]


PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION

ARole Role Range

PSO1 [E1,PL1]

PSO2 [E2,PL2]

DSO (ED,DIR)

SSO [ED,DIR]


RRA97

Group rolesUsers only

UP-rolesUsers and Permissions

Ability rolesPermissions only

Extended URA97 RRA97 Extended PRA97


RRA97

OBJECTIVE Decentralization of role-role

relationships Administrative role autonomy within a

range. Encapsulation of authority Ranges.


EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1


Range Hierarchy

Range

Create Range

Encap. Range

AuthorityRange


RRA97 - Definitions

Range: (x, y) = {r : Roles | x < r < y}

Authority Range: A range referenced in can-modify relation

Junior Authority range: The range (x, y) is junior to range (x’, y’) if

( x x’ y’ y) ( x > x’ y’ > y) The range (x’, y’) is a senior range


RRA97 - Definitions

Partial Overlap of Ranges: The ranges Y and Y’ partially overlap if

Y Y’ and Y Y’ Y’ Y


RRA97 - Definitions

Encapsulated Authority Range: The authority range (x, y) is said to be

encapsulated if r1 (x, y) and r2 (x, y)

– r2 > r1 r2 > y – r2 < r1 x < r2


Encapsulated Range (x, y)

x

y

r1 r2r3

x’

y‘

r4


Non-encapsulated Range (x, y)

x

y

r1 r2r3

x’

y‘

r4


RRA97 - Definitions

Set of Authority Ranges: {x, y : roles | (x, y) is an authority range}

Immediate Authority Range of role r: The authority range (x, y) is immediate

authority range of role r (x, y) if (x’, y’) set of AR | (x’, y’) (x, y) r (x’, y’)


RRA97 - Definitions

Create Range: The range (x, y) is a create range if

(a) ARimmediate(x) = ARimmediate(y) (b) x = End point of ARimmediate(y) (c) y = End point of ARimmediate(x)

Immediate Senior roles: r1 > immediate r2 if

r’ roles r’ > r2 ( r’ r1)


Create Range

x

y

r1 r2r3

x’

y‘

r4

A

B


RRA97 - Definitions

Immediate Junior Roles: r1 < immediate r2

r’ roles r’ > r1 ( r’ < r2)

Inactive Roles: A user associated to it cannot use it. Inheritance of permissions is not

affected. Permissions and users can be revoked.


INSERT ROLE

Role is inserted one at a time. Roles can be inserted only in create

range. Create-role(r, (x, y)) inserts a role r in

create range (x, y) such that it is junior to y and senior to x.


Example: Create-role(r, (r1, r2))

x

y

rr1 r2


DELETE ROLE

Roles referred in can-assign,can-revoke and can-modify cannot be deleted.

Roles can be deleted only if they are empty.


DELETE ROLE (Continued)

RELAXATIONS: Roles referred in can-assign,can-

revoke and can-modify can be made inactive.

Role is deleted only after its permissions are assigned to immediate senior and users to immediate junior roles.


INSERTION OF AN EDGE

Implied edges are not considered. Inserted only between incomparable

roles (No Cycles) Inserted one at a time. The edge AB is inserted if

(a) ARimmediate(A) = ARimmediate(B) and (b) For a junior authority range (x, y):

(A = y B > x) or (B = x A < y) must ensure encapsulation of (x, y).


DELETION OF AN EDGE Deleted one at a time. Implied edges are no considered. The edges in transitive reduction are

candidates for deletion. Edges connecting the end points of

an authority range cannot be deleted. When edges AB is deleted then

necessary edges must be inserted to preserve implications.


System Calls

To create a role in create range Y create-role(r, Y) To delete a role r delete-role(r) To add edge AB add-edge(A, B) To delete an edge AB delete-edge(A,

B) To inactivate a role r inactivate-role

(r) To activate a role r Activate-role (r)


Strong Deletions

Strong deletion of role. Strong deletion of an edge.

Documents

ARBAC 97 (ADMINISTRATIVE RBAC)