![Page 1: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/1.jpg)
Future Directions inRole-Based Access Control Models
Ravi Sandhu
Co-Founder and Chief Scientist
SingleSignOn.Net
&
Professor of Information Technology and Engineering
George Mason University
![Page 2: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/2.jpg)
2© Ravi Sandhu 2001
ACCESS CONTROL
Also called Authorization Entitlement
Different from Authentication
Typically requires authentication as a prerequisite
![Page 3: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/3.jpg)
3© Ravi Sandhu 2001
AUTHORIZATION, TRUST AND RISK
Information security is fundamentally about managing authorization and trust
so as to manage risk We don’t know how to do this
![Page 4: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/4.jpg)
4© Ravi Sandhu 2001
ACCESS CONTROL PRINCIPLES
Least privilege Separation of duties Abstract permissions Decentralized administration Keep it simple stupid (KISS)
![Page 5: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/5.jpg)
5© Ravi Sandhu 2001
ACCESS CONTROL MODELS
RBACRole-based
access control
DACDiscretionary
access control
MACMandatory
access control
![Page 6: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/6.jpg)
6© Ravi Sandhu 2001
ACCESS CONTROL MODELS
RBACRole-based
Policy configured
DACIdentity based
Owner controlled
MACLattice based
Policy controlled
![Page 7: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/7.jpg)
7© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Separate the questions of What How
Provide a framework for managing complexity Complex authorization Simple authorization
Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints
![Page 8: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/8.jpg)
8© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Separate the questions of What How
Provide a framework for managing complexity Complex authorization Simple authorization
Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints
![Page 9: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/9.jpg)
9© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 10: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/10.jpg)
10© Ravi Sandhu 2001
ADMINISTRATIVE RBAC
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
![Page 11: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/11.jpg)
11© Ravi Sandhu 2001
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 12: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/12.jpg)
12© Ravi Sandhu 2001
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 13: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/13.jpg)
13© Ravi Sandhu 2001
EXAMPLE ROLE HIERARCHY
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 14: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/14.jpg)
14© Ravi Sandhu 2001
EXAMPLE ROLE HIERARCHY
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 15: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/15.jpg)
15© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 16: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/16.jpg)
16© Ravi Sandhu 2001
ACCESS-CONTROL ARCHITECTURESERVER-PULL
Client Server
AuthorizationServer
AuthenticationServer
![Page 17: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/17.jpg)
17© Ravi Sandhu 2001
ACCESS-CONTROL ARCHITECTUREUSER-PULL
Client Server
AuthorizationServer
AuthenticationServer
![Page 18: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/18.jpg)
18© Ravi Sandhu 2001
ACCESS-CONTROL ARCHITECTUREPROXY-BASED
Client ServerProxy
AuthenticationServer
AuthorizationServer
![Page 19: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/19.jpg)
19© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 20: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/20.jpg)
20© Ravi Sandhu 2001
ACCESS-CONTROL MECHANISMSECURE COOKIES IN USER-PULL ARCHITECTURE
![Page 21: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/21.jpg)
21© Ravi Sandhu 2001
ACCESS-CONTROL MECHANISMX.509 CERTIFICATES
X.509 certificates can be used in User-pull architecture Server-pull architecture
Secure cookies inherently user pull
![Page 22: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/22.jpg)
22© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Separate the questions of What How
Provide a framework for managing complexity Complex authorization Simple authorization
Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints
![Page 23: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/23.jpg)
23© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 24: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/24.jpg)
24© Ravi Sandhu 2001
COMPLEX VERSUS SIMPLE AUTHORIZATION
Complex authorization Many roles: hundreds, thousands Dynamic policy and complex
administration Simple authorization
Few roles: tens Static policy and simple administration
![Page 25: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/25.jpg)
25© Ravi Sandhu 2001
COMPLEX AUTHORIZATION
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 26: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/26.jpg)
26© Ravi Sandhu 2001
COMPLEX AUTHORIZATION
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project SecurityOfficer 1 (PSO1)
Project SecurityOfficer 2 (PSO2)
![Page 27: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/27.jpg)
27© Ravi Sandhu 2001
SIMPLE AUTHORIZATION
External User
Internal User Senior Administrator
Junior Administrator
![Page 28: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/28.jpg)
28© Ravi Sandhu 2001
COMPLEX AUTHORIZATION VERSUS COMPLEX PERMISSIONS
A consumer has access to only his own account and to no other account
A branch manager has access to accounts of customers at his branch but no accounts at any other branch
![Page 29: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/29.jpg)
29© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Separate the questions of What How
Provide a framework for managing complexity Complex authorization Simple authorization
Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints
![Page 30: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/30.jpg)
30© Ravi Sandhu 2001
WHY DO WE NEED MODELS
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
![Page 31: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/31.jpg)
31© Ravi Sandhu 2001
RBAC POLICY
Policy in RBAC is determined by Hierarchies Constraints
MAC and DAC can be configured in RBAC by suitable design of hierarchies and constraints
![Page 32: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/32.jpg)
32© Ravi Sandhu 2001
ROLE-CENTRIC SEPARATION OF DUTIES
Static SOD: Conflicting roles cannot have common users
U = {u1,u2,…un} , R = {r1,r2,…rn},
CR = {cr1,cr2} : cr1 = {r1,r2,r3} , cr2 = {ra,rb,rc}
|roles(OE(U)) OE(CR)| 1
![Page 33: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/33.jpg)
33© Ravi Sandhu 2001
PERMISSION-CENTRIC SEPARATION OF DUTIES
SSOD-CP |permissions(roles(OE(U))) OE(CP)|
1
Variations of SSOD-CP SSOD-CP |permissions(OE(R)) OE(CP)| 1
![Page 34: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/34.jpg)
34© Ravi Sandhu 2001
CONSTRAINTS CHARACTERIZATION
CONSTRAINTS
PROHIBITION OBLIGATION
![Page 35: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/35.jpg)
35© Ravi Sandhu 2001
SIMPLE PROHIBITION CONSTRAINTS
Type 1 expr 1
Type 2 expr or expr 0
Type 3 expr1expr2
![Page 36: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/36.jpg)
36© Ravi Sandhu 2001
SIMPLE OBLIGATION CONSTRAINTS
Type 1 expr 0 or expr 0
Type 2 Set X Set Y
Type 3 obligation constraints obligation constraints
Type 4 expr 1
expr 1 expr 1 expr 0
![Page 37: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/37.jpg)
37© Ravi Sandhu 2001
LOOKING AHEAD
Do we need more models or should we focus on understanding how to make better use of existing models?
How do we know we have a good model?
![Page 38: Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology](https://reader036.vdocuments.net/reader036/viewer/2022081602/551463d2550346284e8b5a3d/html5/thumbnails/38.jpg)
38© Ravi Sandhu 2001
LOOKING AHEAD
Engineering systems with complex authorizations
Deeper understanding of simple constraints and policy that can serve as building blocks
How to implement a model with different trust and performance tradeoffs