7/29/2019 lecture01-2

1/20

INFS 767 Fall 2003

The RBAC96 Model

Prof. Ravi Sandhu

George Mason University

2 Ravi Sandhu

AUTHORIZATION, TRUST AND RISK

v Information security is fundamentallyabout managing

authorization and

trustso as to manage risk

7/29/2019 lecture01-2

2/20

3 Ravi Sandhu

SOLUTIONS

vOM-AM

vRBAC

vPKI

v and others

4 Ravi Sandhu

THE OM-AM WAY

Objectives

Model

Architecture

Mechanism

What?

How?

A

s

s

u

ra

n

c

e

7/29/2019 lecture01-2

3/20

5 Ravi Sandhu

LAYERS AND LAYERS

vMultics rings

vLayered abstractions

vWaterfall model

vNetwork protocol stacks

vOM-AM

6 Ravi Sandhu

OM-AM AND MANDATORY ACCESSCONTROL (MAC)

What?

How?

No information leakage

Lattices (Bell-LaPadula)

Security kernel

Security labels

A

s

s

u

ra

n

c

e

7/29/2019 lecture01-2

4/20

7 Ravi Sandhu

OM-AM AND DISCRETIONARY

ACCESS CONTROL (DAC)

What?

How?

Owner-based discretion

numerous

numerous

ACLs, Capabilities, etc

A

s

s

u

r

a

nc

e

8 Ravi Sandhu

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutral

RBAC96

user-pull, server-pull, etc.

certificates, tickets, PACs, etc.

A

s

s

u

ra

n

c

e

7/29/2019 lecture01-2

5/20

9 Ravi Sandhu

ROLE-BASED ACCESS

CONTROL (RBAC)

vA users permissions are determinedby the users roles

rather than identity or clearance

roles can encode arbitrary attributes

vmulti-faceted

v

ranges from very simple to verysophisticated

10 Ravi Sandhu

WHAT IS THE POLICY IN RBAC?

vRBAC is a framework to help inarticulating policy

vThe main point of RBAC is to

facilitate security management

7/29/2019 lecture01-2

6/20

11 Ravi Sandhu

RBAC SECURITY

PRINCIPLES

v least privilege

v separation of duties

v separation of administration andaccess

v abstract operations

12 Ravi Sandhu

RBAC96IEEE Computer Feb. 1996

vPolicy neutral

v can be configured to do MAC

roles simulate clearances (ESORICS 96)

v can be configured to do DAC roles simulate identity (RBAC98)

7/29/2019 lecture01-2

7/20

13 Ravi Sandhu

WHAT IS RBAC?

vmultidimensional

vopen ended

v ranges from simple to sophisticated

14 Ravi Sandhu

RBAC CONUNDRUM

v turn on all roles all the time

v turn on one role only at a time

v turn on a user-specified subset of

roles

7/29/2019 lecture01-2

8/20

15 Ravi Sandhu

RBAC96 FAMILY OF

MODELS

RBAC0BASIC RBAC

RBAC3ROLE HIERARCHIES +

CONSTRAINTS

RBAC1ROLE

HIERARCHIES

RBAC2CONSTRAINTS

16 Ravi Sandhu

RBAC0

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

7/29/2019 lecture01-2

9/20

17 Ravi Sandhu

PERMISSIONS

vPrimitive permissions

read, write, append, execute

vAbstract permissions

credit, debit, inquiry

18 Ravi Sandhu

PERMISSIONS

vSystem permissions

Auditor

vObject permissions

read, write, append, execute, credit,debit, inquiry

7/29/2019 lecture01-2

10/20

19 Ravi Sandhu

PERMISSIONS

vPermissions are positive

vNo negative permissions or denials

negative permissions and denials canbe handled by constraints

vNo duties or obligations

outside scope of access control

20 Ravi Sandhu

ROLES AS POLICY

vA role brings together

a collection of users and

a collection of permissions

vThese collections will vary over timeA role has significance and meaning

beyond the particular users andpermissions brought together at anymoment

7/29/2019 lecture01-2

11/20

21 Ravi Sandhu

ROLES VERSUS GROUPS

vGroups are often defined as

a collection of users

vA role is

a collection of users and

a collection of permissions

vSome authors define role as a collection of permissions

22 Ravi Sandhu

USERS

vUsers are

human beings or

other active agents

vEach individual should be known asexactly one user

7/29/2019 lecture01-2

12/20

23 Ravi Sandhu

USER-ROLE ASSIGNMENT

vA user can be a member of manyroles

vEach role can have many users asmembers

24 Ravi Sandhu

SESSIONS

vA user can invoke multiple sessions

v In each session a user can invokeany subset of roles that the user is a

member of

7/29/2019 lecture01-2

13/20

25 Ravi Sandhu

PERMISSION-ROLE ASSIGNMENT

vA permission can be assigned tomany roles

vEach role can have manypermissions

26 Ravi Sandhu

MANAGEMENT OF RBAC

vOption 1:

USER-ROLE-ASSIGNMENT andPERMISSION-ROLE ASSIGNMENT

can be changed only by the chiefsecurity officer

vOption 2:

Use RBAC to manage RBAC

7/29/2019 lecture01-2

14/20

27 Ravi Sandhu

RBAC1

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

28 Ravi Sandhu

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

7/29/2019 lecture01-2

15/20

29 Ravi Sandhu

HIERARCHICAL ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

30 Ravi Sandhu

PRIVATE ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

HardwareEngineer

SoftwareEngineer

7/29/2019 lecture01-2

16/20

31 Ravi Sandhu

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1

(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2

(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

32 Ravi Sandhu

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

7/29/2019 lecture01-2

17/20

33 Ravi Sandhu

EXAMPLE ROLE HIERARCHY

Project Lead 1

(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2

(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

34 Ravi Sandhu

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

7/29/2019 lecture01-2

18/20

35 Ravi Sandhu

RBAC3

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

36 Ravi Sandhu

CONSTRAINTS

vMutually Exclusive Roles

Static Exclusion: The same individualcan never hold both roles

Dynamic Exclusion: The sameindividual can never hold both roles inthe same context

7/29/2019 lecture01-2

19/20

37 Ravi Sandhu

CONSTRAINTS

vMutually Exclusive Permissions

Static Exclusion: The same role shouldnever be assigned both permissions

Dynamic Exclusion: The same role cannever hold both permissions in thesame context

38 Ravi Sandhu

CONSTRAINTS

vCardinality Constraints on User-RoleAssignment

At most k users can belong to the role

At least k users must belong to the role Exactly k users must belong to the role

7/29/2019 lecture01-2

20/20

39 Ravi Sandhu

CONSTRAINTS

vCardinality Constraints onPermissions-Role Assignment

At most k roles can get the permission

At least k roles must get the permission

Exactly k roles must get the permission