Embed Size (px)
Citation preview
PBDM: A Flexible Delegation Model in RBAC
Xinwen Zhang, Sejong Oh
George Mason University
Ravi Sandhu
George Mason University and NSD Security
Outline
• Motivations
• Related Works
• PBDM0: user-to-user delegation
• PBDM1: user-to-user delegation
• PBDM2: role-to-role delegation
• Conclusions and future work
Motivations
• Permission level delegations are needed in many cases:
[Role hierarchy] [User - Role Assignment]
Role User
PL (Project Leader) John
PE (Programming Engineer) Tom
QE (Quality Engineer) Smith
PJ (Project) Jenny
PM (Production Manager) Scott
[Permission - Role Assignment]
Role Permission
PL change_schedule
confirm_program
PE req_program
QE review_program
error_report
PJ use_pj1_bbs
PM check_prod_plan
Case 1. John wants to delegate only 'change_schedule' to 'Jenny'
Case 2. John wants to delegate 'change_schedule' to 'Tom' and
'confirm_program' to 'Smith'
Case 3. John wants to delegate 'change_schedule' and 'PE' to Jenny
PL
PE QE
PJ
E
PD
PM
Motivations(cont’d)
• User-to-user delegations– John delegates some of his permissions to Jenny when
he is out of town
• Role-to-role delegations– A professor can delegate “check-email” permission to a
TA
• Multi-step delegation and revocation– Jenny can delegate some permissions from John to Jim
Related Works
• RBDM0:– E.Barka et al, NISSC 2000, ACSAC 2000
– A delegation framework
– User-to-user delegation
– Role-level delegation
• RDM2000– L.Zhang et al, SACMAT 2002
– Role-level delegation
– Multi-step delegation
PBDM0• Permission-based Delegation Model
• A user-to-user delegation model– John creates a temporary delegation role D1.
– John assigns the permission “change_schedule" to D1 with permission-role assignment and role PE to D1 with role-role assignment.
– John assigns Jenny to D1 with user-role assignment.
[Role hierarchy] [User-Role Assignment]
Role User
PL John
PE Tom
QE Smith
PJ Jenny
PM Scott
D1 Jenny
[Permission-Role Assignment]
Role Permissions
PL change_schedule
confirm_program
PE req_program
QE review_program
error_report
PJ use_pj1_bbs
PM check_prod_plan
D1 change_schedule
D1PL
PE QE
PJ
E
PD
PM
PJ
req_program
PBDM0
RegularRoles
DelegationRoles
PermissionsUsers Roles
.
.
.
Constraints
Role Hierarchy
Sessions
PAD
PARUAR
UAD
• RR: regular roles
• DTR: delegation roles
Controlled by security administrator:
• UAR: user-regular role assignment
• PAR: permission-regular role assignment
Controlled by individual user:
• UAD: user-delegation role assignment
• PAD: permission-delegation role assignment
PBDM0
depth delegation maximum :M
range delegation :P_range
condition teprerequisi :Pre_con
:M range P con PreRR tecan_delega
(u)spermissions_d(dtr)permission own(u)dtr U,u DTR,dtr
allowed). is delegation step-multi(when UADand with UAR
spermission edelegatabl ofset a user to a mappingfunction a :(u)spermission
spermission ofset a torole delegation a mappingfunction a :s_d(u)permission
user a and roles delegationbetween ownership : 2 U: own(u)
*
*
DTR
Rule Users assigned regular role
Pre_con P_range M
1
2
3
4
PL
PL
QE
PM
PE
PJ
PD
{confirm_program}
{change_schedule, PE}
{error_report}
{check_prod_plan}
1
PBDM1
• Problems in PBDM0:– A user can create delegation role by his discretion. Invalid
permission flow can happen with malicious user. There reason is that there is no security administrator involvement in delegation.
– Cannot support role-to-role delegation, since delegation role cannot be assigned to a regular role.
• PBDM1: – Extension from PBDM0– Permissions of a role are separated into two parts: regular and
delegatable. – Only delegatable permissions can be used to create delegation
roles. – User-to-user delegation
PBDM1
• RR: regular roles
• DBR: delegatable roles
• DTR: delegation roles
• One-to-one map between RR and DBR
PJ
PE QE
PL
QE'PE'
PJ'
PL'
RR
DBR
D2DTR
use_pj1_bbs
PAR
RR Permissions
PL
PE
QE
PJ
change_schedule
error_report
PAB
DBR Permissions
PL'
PE'
QE'
PJ'
confirm_program
req_program
review_program
PAD
DTR Permissions
D2 change_schedule
UA
U Roles
John
Tom
Smith
Jenny
PL, PL'
PE, PE'
QE, QE'
PJ, PJ', D2
req_program
PBDM1
RR
PermissionsUsers
R
.
.
. Constraints
Role Hierarchy
Sessions
PAD
PARUAR
UAD
DBR
DTR
UAB PAB
depth delegation maximum :M
range delegation :P_range
condition teprerequisi :Pre_con
:M range P con PreDBR tecan_delega
(u)spermissions_d(dtr)permission own(u)dtr U,u DTR,dtr
allowed). is delegation step-multi(when UADand with UAR
spermission edelegatabl ofset a user to a mappingfunction a :(u)spermission
spermission ofset a torole delegation a mappingfunction a :s_d(u)permission
user a and roles delegationbetween ownership : 2 U: own(u)
*
*
DTR
PBDM1
• UAR, UAB, PAR, and PAB are managed by security administrator.
• UAD and PAD are managed by individual user.
• Revocation options:
– By a user:
• Remove a user from delegatees, that is, revoke the user-delegation role assignment.
• Remove one or more pieces of permissions from delegation role.
• Revoke delegation role.
– By a security administrator:
• Remove one or more pieces of permission from a delegatable role to its regular role.
• Revoke a user from regular role and delegatable role.
PBDM2
• Extension from PBDM1• A role-to-role delegation model• A role is separated into three layers:
– Regular role(RR): permissions cannot be delegated. – Fixed delegatable role(FDBR): permission can be delegated. – Temporal delegatable role(TDBR): inherit permissions from
delegation roles with role-role assignment(RAD).
• Delegation roles (DTR) are assigned to temporal delegatable role– Since there is no role hierarchy with TDBR, illegal permission
flow will not happen.
PBDM2
• A delegation role D3 owned by PL’ and delegated to QE”:– Create a temporary delegation role D3
– assign the permission “change_schedule" to D3
– assign role PE’ to D3
– Assign D3 to QE”
PJ
PE QE
PL
QE'PE'
PJ"
PL'D3
PE"
PL"
QE"
PJ'
RR
FDBR
TDBR
use_pj1_bbs
PAR
RR Permissions
PL
PE
QE
PJ
change_schedule
error_report
PAFB
FDBR Permissions
PL'
PE'
QE'
PJ'
confirm_program
req_program
review_program
PAD
DTR Permissions
D3 change_schedule
req_program
PATB
TDBR Permissions
PL"
PE"
QE"
PJ"
use_pj2_bbs
PBDM2
• RR, FDBR, TDBR, DTR
• RRH, FDBRH
• UAR, UAFB, UATB
• PAR, PAFB, PADB
• RAD: delegation role-temporal delegatable role assignment
RR
PermissionsUsers
R
Role Hierarchy
PAD
PARUAR
TDBR
DTR
UAFB PAFBFDBR
UATB
:M range P con PreFDBR tecan_delega
(fdbr)s_fpermissions_d(dtr)permission )own_d(fdbrdtr FDBR, DTR,dtr
RAD and PAFBwith
spermission ofset a torole edelegatabl fixed a mappingfunction a :(r)s_fpermission
allowed). is delegation step-multi(when RADwith
spermission ofset a torole edelegatabl temporala mappingfunction a :(r)s_tpermission
spermission ofset a torole delegation a mappingfunction a :s_d(r)permission
role delegtable fixed a and roles delegationbetween ownership : 2FDBR : own_d(r)
*
*
*
DTR
fdbr
PBDM2
• Revocation options:– Remove one or more pieces of permissions from
delegation role.
– Revoke delegation role owned by a fixed delegatable role.
– Remove one or more pieces of permission from a fixed delegatable role to its regular role.
Conclusions and Future Work
• Conclusions:– Present a permission-based delegation model family, PBDM0,
PBDM1, and PBDM2.
– Support user-to-user and role-to-role delegation
– Support multi-step delegation
– Support multi-option revocation
– Flexible delegation administration
• Future work:– Constraints in RBAC delegation, such as separation of duty
– Delegation management in decentralized environment
