© 2004 ravi sandhu role-based access control prof. ravi sandhu laboratory for information security...
TRANSCRIPT
![Page 1: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/1.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Role-Based Access Control
Prof. Ravi SandhuLaboratory for Information Security Technology
George Mason University
www.list.gmu.edu
![Page 2: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/2.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Control Models:A perspective
![Page 3: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/3.jpg)
3
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Matrix Model (Lampson 1971)
U r w
V
F
Subjects
Objects (and Subjects)
r w
G
r
rights
![Page 4: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/4.jpg)
4
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Matrix Model
• Separates authentication from authorization• Rights are persistent
These items have come into question in recent times, but that is a topic for another talk.
• Separates model from implementation• Policy versus mechanism
This separation continues to be valuable and will be discussed and refined later in this talk.
![Page 5: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/5.jpg)
5
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC, DAC and RBAC
• For 25 years (1971-96) access control was divided into• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Since the early-mid 1990’s Role-Based Access Control (RBAC) has become a dominant force• RBAC subsumes MAC and DAC
• RBAC is not the “final” answer BUT is a critical piece of the “final” answer
![Page 6: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/6.jpg)
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Mandatory Access Control (MAC)
TS
S
C
U
InformationFlow
Dominance
Lattice ofsecuritylabels
Rights are determined by security labels (Bell-LaPadula 1971)
![Page 7: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/7.jpg)
7
© 2004 Ravi Sandhuwww.list.gmu.edu
Mandatory Access Control (MAC)
U r w
V
F
Subjects
Objects (and Subjects)
r w
G
r
security label of F must dominate or equal security label of G
![Page 8: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/8.jpg)
8
© 2004 Ravi Sandhuwww.list.gmu.edu
Discretionary Access Control (DAC)
• The owner of a resource determines access to that resource• The owner is often the creator of the resource
• Fails to distinguish read from copy• This distinction has re-emerged recently under the
name Dissemination Control (DCON)
![Page 9: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/9.jpg)
9
© 2004 Ravi Sandhuwww.list.gmu.edu
Discretionary Access Control (DAC)
U r w
V
F
Subjects
Objects (and Subjects)
r w
G
r
![Page 10: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/10.jpg)
10
© 2004 Ravi Sandhuwww.list.gmu.edu
Discretionary Access Control (DAC)
U r wown
V
F
Subjects
Objects (and Subjects)
r wown
G
r
Rights are determined by the owners
![Page 11: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/11.jpg)
11
© 2004 Ravi Sandhuwww.list.gmu.edu
Beyond DAC and MAC
• Many attempts were made• Domain-Type enforcement (Boebert-Kain 1985)• Clark-Wilson (1987)• Chinese Walls (Brewer-Nash 1989)• Harrison-Ruzzo-Ullman (1976)• Schematic Protection Model (Sandhu 1985)• Typed Access Matrix Model (Sandhu 1992)• …………………
• RBAC solves this problem
![Page 12: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/12.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Role-Based Access Control:The RBAC96 Model
• Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, “Role-Based Access Control Models.” IEEE Computer, Volume 29, Number 2, February 1996, pages 38-47.
![Page 13: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/13.jpg)
13
© 2004 Ravi Sandhuwww.list.gmu.edu
ROLE-BASED ACCESS CONTROL (RBAC)
• A user’s permissions are determined by the user’s roles• rather than identity or clearance• roles can encode arbitrary attributes
• multi-faceted
• ranges from very simple to very sophisticated
![Page 14: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/14.jpg)
14
© 2004 Ravi Sandhuwww.list.gmu.edu
Central concept of RBAC
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
![Page 15: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/15.jpg)
15
© 2004 Ravi Sandhuwww.list.gmu.edu
WHAT IS THE POLICY IN RBAC?
• RBAC is a framework to help in articulating policy
• The main point of RBAC is to facilitate security management
![Page 16: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/16.jpg)
16
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC SECURITY PRINCIPLES
• least privilege
• separation of duties
• separation of administration and access
• abstract operations
![Page 17: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/17.jpg)
17
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 IEEE Computer Feb. 1996
• Policy neutral
• can be configured to do MAC• roles simulate clearances (ESORICS 96)
• can be configured to do DAC• roles simulate identity (RBAC98)
![Page 18: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/18.jpg)
18
© 2004 Ravi Sandhuwww.list.gmu.edu
WHAT IS RBAC?
• multidimensional
• open ended
• ranges from simple to sophisticated
![Page 19: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/19.jpg)
19
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC CONUNDRUM
• turn on all roles all the time
• turn on one role only at a time
• turn on a user-specified subset of roles
![Page 20: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/20.jpg)
20
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 FAMILY OF MODELS
RBAC0BASIC RBAC
RBAC3ROLE HIERARCHIES +
CONSTRAINTS
RBAC1ROLE
HIERARCHIES
RBAC2CONSTRAINTS
![Page 21: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/21.jpg)
21
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC0
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
![Page 22: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/22.jpg)
22
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSIONS
• Primitive permissions• read, write, append, execute
• Abstract permissions• credit, debit, inquiry
![Page 23: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/23.jpg)
23
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSIONS
• System permissions• Auditor
• Object permissions• read, write, append, execute, credit, debit, inquiry
![Page 24: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/24.jpg)
24
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSIONS
• Permissions are positive
• No negative permissions or denials• negative permissions and denials can be handled
by constraints
• No duties or obligations• outside scope of access control
![Page 25: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/25.jpg)
25
© 2004 Ravi Sandhuwww.list.gmu.edu
ROLES AS POLICY
• A role brings together• a collection of users and• a collection of permissions
• These collections will vary over time• A role has significance and meaning beyond the
particular users and permissions brought together at any moment
![Page 26: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/26.jpg)
26
© 2004 Ravi Sandhuwww.list.gmu.edu
ROLES VERSUS GROUPS
• Groups are often defined as• a collection of users
• A role is• a collection of users and• a collection of permissions
• Some authors define role as • a collection of permissions
![Page 27: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/27.jpg)
27
© 2004 Ravi Sandhuwww.list.gmu.edu
USERS
• Users are• human beings or• other active agents
• Each individual should be known as exactly one user
![Page 28: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/28.jpg)
28
© 2004 Ravi Sandhuwww.list.gmu.edu
USER-ROLE ASSIGNMENT
• A user can be a member of many roles
• Each role can have many users as members
![Page 29: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/29.jpg)
29
© 2004 Ravi Sandhuwww.list.gmu.edu
SESSIONS
• A user can invoke multiple sessions
• In each session a user can invoke any subset of roles that the user is a member of
![Page 30: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/30.jpg)
30
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSION-ROLE ASSIGNMENT
• A permission can be assigned to many roles
• Each role can have many permissions
![Page 31: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/31.jpg)
31
© 2004 Ravi Sandhuwww.list.gmu.edu
MANAGEMENT OF RBAC
• Option 1:• USER-ROLE-ASSIGNMENT and
PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer
• Option 2:• Use RBAC to manage RBAC
![Page 32: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/32.jpg)
32
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC1
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
![Page 33: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/33.jpg)
33
© 2004 Ravi Sandhuwww.list.gmu.edu
HIERARCHICAL ROLES
Health-Care Provider
Physician
Primary-CarePhysician
SpecialistPhysician
![Page 34: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/34.jpg)
34
© 2004 Ravi Sandhuwww.list.gmu.edu
HIERARCHICAL ROLES
Engineer
HardwareEngineer
SoftwareEngineer
SupervisingEngineer
![Page 35: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/35.jpg)
35
© 2004 Ravi Sandhuwww.list.gmu.edu
PRIVATE ROLES
Engineer
HardwareEngineer
SoftwareEngineer
SupervisingEngineer
HardwareEngineer’
SoftwareEngineer’
![Page 36: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/36.jpg)
36
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 37: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/37.jpg)
37
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 38: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/38.jpg)
38
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 39: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/39.jpg)
39
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 40: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/40.jpg)
40
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC3
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
![Page 41: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/41.jpg)
41
© 2004 Ravi Sandhuwww.list.gmu.edu
CONSTRAINTS
Mutually Exclusive Roles• Static Exclusion: The same individual can never
hold both roles• Dynamic Exclusion: The same individual can
never hold both roles in the same context
![Page 42: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/42.jpg)
42
© 2004 Ravi Sandhuwww.list.gmu.edu
CONSTRAINTS
• Mutually Exclusive Permissions• Static Exclusion: The same role should never be
assigned both permissions• Dynamic Exclusion: The same role can never hold
both permissions in the same context
![Page 43: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/43.jpg)
43
© 2004 Ravi Sandhuwww.list.gmu.edu
CONSTRAINTS
• Cardinality Constraints on User-Role Assignment• At most k users can belong to the role• At least k users must belong to the role• Exactly k users must belong to the role
![Page 44: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/44.jpg)
44
© 2004 Ravi Sandhuwww.list.gmu.edu
CONSTRAINTS
• Cardinality Constraints on Permissions-Role Assignment• At most k roles can get the permission• At least k roles must get the permission• Exactly k roles must get the permission
![Page 45: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/45.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
The NIST-ANSI and (hopefully) soon-to-be ISO RBAC Standard Model
• David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli. “Proposed NIST Standard for Role-Based Access Control.” ACM Transactions on Information and System Security, Volume 4, Number 3, August 2001, pages 224-274.
![Page 46: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/46.jpg)
46
© 2004 Ravi Sandhuwww.list.gmu.edu
The NIST-ANSI-ISO RBAC Model
• Adds much needed detail and consensus agreement to the RBAC96 model and other contemporary models
• Focuses on areas where consensus agreement exists and commercial implementations have been demonstrated• Leaves many important areas for future work
• Eventual goal is much more ambitious• Test suite for conformance testing
![Page 47: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/47.jpg)
47
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 FAMILY OF MODELS
RBAC0BASIC RBAC
RBAC3ROLE HIERARCHIES +
CONSTRAINTS
RBAC1ROLE
HIERARCHIES
RBAC2CONSTRAINTS
![Page 48: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/48.jpg)
48
© 2004 Ravi Sandhuwww.list.gmu.edu
The NIST-ANSI-ISO RBAC Model
![Page 49: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/49.jpg)
49
© 2004 Ravi Sandhuwww.list.gmu.edu
The NIST-ANSI-ISO RBAC Model
• Additional details• Administrative Functions• Supporting System Functions• Review Functions
![Page 50: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/50.jpg)
50
© 2004 Ravi Sandhuwww.list.gmu.edu
Core RBAC
![Page 51: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/51.jpg)
51
© 2004 Ravi Sandhuwww.list.gmu.edu
Core RBAC: Administrative Functions
• AddUser• DeleteUser• AddRole• DeleteRole• AssignUser• DeassignUser• Grant-Permission• Revoke-Permission
![Page 52: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/52.jpg)
52
© 2004 Ravi Sandhuwww.list.gmu.edu
Core RBAC: Supporting System Functions
• CreateSession
• AddActiveRole
• DropActiveRole
• CheckAccess
![Page 53: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/53.jpg)
53
© 2004 Ravi Sandhuwww.list.gmu.edu
Core RBAC: Review Functions
• Required• AssignedUsers• AssignedRoles
• Optional• RolePermissions• UserPermissions• SessionRoles• SessionPermissions• RoleOperationsOnObject• SessionOperationsOnObject
Role-permission review is optional
Role-user review is required
![Page 54: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/54.jpg)
54
© 2004 Ravi Sandhuwww.list.gmu.edu
Hierarchical RBAC
![Page 55: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/55.jpg)
55
© 2004 Ravi Sandhuwww.list.gmu.edu
Limited Hierarchies
![Page 56: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/56.jpg)
56
© 2004 Ravi Sandhuwww.list.gmu.edu
Limited Hierarchies
![Page 57: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/57.jpg)
57
© 2004 Ravi Sandhuwww.list.gmu.edu
General Hierarchies
![Page 58: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/58.jpg)
58
© 2004 Ravi Sandhuwww.list.gmu.edu
Inheritance versus Activation Hierarchy
![Page 59: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/59.jpg)
59
© 2004 Ravi Sandhuwww.list.gmu.edu
Inheritance versus Activation Hierarchy
• Inheritance hierarchy• Activating Director Role also activates all junior roles (by
inheritance of permissions)• Violates least privilege
• Activation hierarchy• Activating Director Role does not activate junior roles
(there is no inheritance of permissions)• Junior roles must be explicitly activated• Preserves least privilege but is less automated
![Page 60: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/60.jpg)
60
© 2004 Ravi Sandhuwww.list.gmu.edu
Constrained RBAC: Static Separation of Duties
![Page 61: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/61.jpg)
61
© 2004 Ravi Sandhuwww.list.gmu.edu
Constrained RBAC: Dynamic Separation of Duties
![Page 62: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/62.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC and DAC in RBAC
• Sylvia Osborn, Ravi Sandhu and Qamar Munawer. “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages 85-106.
![Page 63: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/63.jpg)
63
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC
H
L
M1 M2
Read Write- +
+ -
![Page 64: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/64.jpg)
64
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC in RBAC96
HR
LR
M1R M2R
LW
HW
M1W M2W
Read Write-
+
![Page 65: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/65.jpg)
65
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC in RBAC96• user xR, user has clearance x• user LW, independent of clearance• Need constraints
• session xR iff session xW• in a session exactly one read role must be activated, and this
cannot be changed• read can be assigned only to xR roles• write can be assigned only to xW roles• (O,read) assigned to xR iff• (O,write) assigned to xW
![Page 66: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/66.jpg)
66
© 2004 Ravi Sandhuwww.list.gmu.edu
DAC in RBAC96
• Construction is more complex
• Requires multiple roles for every object
• Revocation• Grant-dependent revocation is harder to handle• Grant-independent revocation is easier to handle
![Page 67: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/67.jpg)
67
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC and DAC in the NIST-ANSI-ISO Model
• RBAC96 constructions use cardinality constraints in addition to Static and Dynamic separation of duties
• These constructions are not applicable to NIST-ANSI-ISO RBAC model
• Can NIST-ANSI-ISO RBAC model do MAC and DAC?• With extensions: yes
• Without extensions: probably not
![Page 68: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/68.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Administrative RBAC: ARBAC97
• Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. “The ARBAC97 Model for Role-Based Administration of Roles.” ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages 105-135.
![Page 69: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/69.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 70: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/70.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project SecurityOfficer 1 (PSO1)
Project SecurityOfficer 2 (PSO2)
![Page 71: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/71.jpg)
71
© 2004 Ravi Sandhuwww.list.gmu.edu
URA97 GRANT MODEL: can-assign
ARole Prereq Role Role Range
PSO1 ED [E1,PL1)
PSO2 ED [E2,PL2)
DSO ED (ED,DIR)
SSO E [ED,ED]
SSO ED (ED,DIR]
![Page 72: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/72.jpg)
72
© 2004 Ravi Sandhuwww.list.gmu.edu
URA97 GRANT MODEL
• “redundant” assignments to senior and junior roles• are allowed• are useful
![Page 73: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/73.jpg)
73
© 2004 Ravi Sandhuwww.list.gmu.edu
URA97 REVOKE MODEL
WEAK REVOCATION• revokes explicit membership in a role• independent of who did the assignment
![Page 74: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/74.jpg)
74
© 2004 Ravi Sandhuwww.list.gmu.edu
URA97 REVOKE MODEL
STRONG REVOCATION• revokes explicit membership in a role and its seniors• authorized only if corresponding weak revokes are
authorized• alternatives
– all-or-nothing
– revoke within range
![Page 75: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/75.jpg)
75
© 2004 Ravi Sandhuwww.list.gmu.edu
URA97 REVOKE MODEL : can-revoke
ARole Role Range
PSO1 [E1,PL1)
PSO2 [E2,PL2)
DSO (ED,DIR)
SSO [ED,DIR]
![Page 76: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/76.jpg)
76
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSION-ROLE ASSIGNMENT
• dual of user-role assignment• can-assign-permission• can-revoke-permission• weak revoke• strong revoke (propagates down)
![Page 77: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/77.jpg)
77
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION
ARole Prereq Cond Role Range
PSO1 PL1 [E1,PL1)
PSO2 PL2 [E2,PL2)
DSO E1 E2 [ED,ED]
SSO PL1 PL2 [ED,ED]
SSO ED [E,E]
![Page 78: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/78.jpg)
78
© 2004 Ravi Sandhuwww.list.gmu.edu
PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION
ARole Role Range
PSO1 [E1,PL1]
PSO2 [E2,PL2]
DSO (ED,DIR)
SSO [ED,DIR]
![Page 79: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/79.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM and RBAC
![Page 80: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/80.jpg)
80
© 2004 Ravi Sandhuwww.list.gmu.edu
THE OM-AM WAY
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 81: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/81.jpg)
81
© 2004 Ravi Sandhuwww.list.gmu.edu
LAYERS AND LAYERS
• Multics rings• Layered abstractions• Waterfall model• Network protocol stacks• Napolean layers• RoFi layers• OM-AM• etcetera
![Page 82: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/82.jpg)
82
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND MANDATORY ACCESS CONTROL (MAC)
What?
How?
No information leakage
Lattices (Bell-LaPadula)
Security kernel
Security labels
Assurance
![Page 83: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/83.jpg)
83
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)
What?
How?
Owner-based discretion
numerous
numerous
ACLs, Capabilities, etc
Assurance
![Page 84: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/84.jpg)
84
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)
What?
How?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
Assurance
![Page 85: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/85.jpg)
85
© 2004 Ravi Sandhuwww.list.gmu.edu
Server-Pull Architecture
Client Server
User-roleAuthorization
Server
![Page 86: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/86.jpg)
86
© 2004 Ravi Sandhuwww.list.gmu.edu
User-Pull Architecture
Client Server
User-roleAuthorization
Server
![Page 87: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/87.jpg)
87
© 2004 Ravi Sandhuwww.list.gmu.edu
Proxy-Based Architecture
Client ServerProxyServer
User-roleAuthorization
Server
![Page 88: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/88.jpg)
88
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC Mechanisms
• RBAC can be implemented using• Secure cookies: user-pull architecture• X.509 certificates: user-pull or server-pull
architectures
![Page 89: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/89.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Other RBAC Research and Results
![Page 90: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/90.jpg)
90
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC Research (dates are approximate)
• The early NIST model: Ferraiolo et al 1992 onwards• Role-Graph Model: Osborn et al 1994 onwards• OASIS model and architecture: Moody et al 1994 onwards• Trust Management: Herzberg, Li, Winsborough, et al 1996 onwards• Temporal RBAC: Bertino et al 1998 onwards• Constraint languages: Ahn and Sandhu, 2000• Delegation in RBAC: Barka, Sandhu, Ahn et al 2000 onwards• RBAC and workflow systems: Atluri, Sandhu, Ahn, Park et al 1998 onwards• RBAC administration: Kern, Sandhu, Oh, Moffett et al 1998 onwards• RBAC engineering: Thomsen, Kern, Epstein, Sandhu et al 2000 onwards• Context-aware RBAC: Covington et al, 2000 onwards• Rule-based RBAC: Al-Khatani and Sandhu, 2002 onwards• ………………….
![Page 91: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/91.jpg)
© 2004 Ravi Sandhuwww.list.gmu.edu
Ongoing and Future Work in RBAC
![Page 92: © 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University](https://reader033.vdocuments.net/reader033/viewer/2022061306/5514638b550346414e8b5a4c/html5/thumbnails/92.jpg)
92
© 2004 Ravi Sandhuwww.list.gmu.edu
Research Challenges
• Automated RBAC• RBAC engineering• Formal models for RBAC• Analysis of RBAC policies• Integration with attribute-based access control• RBAC in pervasive and ad hoc environments• Cross-domain RBAC• ………….