modeling the cross-organizational user access control decision space to facilitate secure...

Modeling The Cross-organizational User Access Control Decision Space To Facilitate Secure Information Sharing

DHS Science & Technology DirectorateCommand, Control and Interoperability Branch

Problem?

2

Problem?

3

Problem?

4

What is needed

5

Share

Info

rmat

ion

Compliant with IA & Sharing Policy

6

Analysis

7

Policy ?

8

Policy ?

9

Policy Compliance?

10

Gerry Gebel, M. N. (2009). User Authorization. Burton Group: Identity and Privacy Strategy

Identity-BasedBasic Authorization

Declarative access by subject

Role-BasedCoarse-grained Authorization

Declarative access by category

Attribute-BasedFine-grained Authorization

Dynamic accessExternalized policy

Access Control

11

Ensuring that requested actions on resource are only granted in compliance with applicable policy

Adaptability

Policy

Authoritative SourcesAt

trib

ute

Alig

nmen

tAccessControl

AccessControl

Access Control Essentials

12

Why Concept Modeling?

Captures Information Requirements

Problem Specific & Technology-neutral

13

Why Concept Modeling?

Semantic Alignment

Identifies Business TermsEstablishes Semantic Consensus

14

Why Concept Modeling?Framework

Conceptual Foundation

15

Why Concept Modeling?Agility

Baselines Technology Insertion

16

Desired View

17

What is a Federal User?

Current View Desired View

18


19


Current View Desired View

identify

Affiliation

be a member

of

composed of

Technical Domain

Management

Position

Assignment Condition

Operational Domain

Skill

PersonSkill Certificate

Citizenship

PositionEntitlement

AffiliationCondition

Organization

Assignment Entitlement

Assignment

ICAM User Concept Model

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by

need

beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

beidentified

by

technical domain identifier

level

position type occupation

assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date

operational domain identifier

skill identifierskill level

person unique identifierbiometricsnamesbirthdatebirthplace

certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level

pos entitle identifierpos entitle permissionpos entitle start datepos entitle end datepos entitle statuspos entitle status date

affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date

organization unique identifierrelationship to US governmentorganization names

assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date

role

beneeded

by

need

person association with organizationperson unique affiliation identifier

credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA

activity identifierfunction

20

Management

be a member

of

composed of

Technical Domain

Position


Operational Domain

Skill


Citizenship


Organization


Assignment


Affiliation

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by

need

beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










role

beneeded

by

need




PositionEntitlement

pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date

21

be a member

of

composed of

Technical Domain

Management

Position


Operational Domain

Skill


Citizenship


Organization


Assignment


Affiliation

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










role

beneeded

by

need




need

PositionEntitlement


22

be a member

of

composed of

Technical Domain

Management

Position


Operational Domain

Skill


Citizenship


Organization



23

Affiliation

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










beneeded

by

need




Assignment

role

need

PositionEntitlement


be a member

of

composed of

Technical Domain

Management

Position


Operational Domain

Skill


Citizenship


Organization


Assignment


24

Affiliation

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










role

beneeded

by

need




PositionEntitlement

need


composed of

Technical Domain

Management

Position


Operational Domain

Skill


Citizenship


Organization


Assignment


25

Affiliation

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










role

beneeded

by

need




be a member

ofbe a

member of

PositionEntitlement

need


Affiliation

be a member

of

composed of

Technical Domain

Management

Position


Operational Domain

Skill


Citizenship

PositionEntitlement


Organization


Assignment


26

Identity Credential

Activity

country identifier

be a subgroup

of

group

certify

becertified

by

need

beneeded

by

grant

begranted

by

be

be

be managed by

manage

be

be

be administered by

administer

issue

beissued

by

identify

beidentified

by


level










role

beneeded

by

need





* DHS, Defining User Attributes for ABAC, Waterman & Hammer 5/15/07

Primary Authority Attributes for Users

27

User Attribute Contract Mappings

• Reveal• Contract

• Concept utilization and specialization• Policy focus• Unused concepts • Purpose (AuthN, AuthZ, Security, Preference) coverage

• Organization and partner• Alignment • Discrepancies

• Support• Federation agreements• Semantic consensus• Policy analysis and development• Identify authoritative source requirements

28

be a member

of

composed of

Identity Credential

Employment Related Authority

grant

begranted

by

Technical DomainActivity

be

be

group

Employee / Other Group Membership

manage

Management

be

be

Employee


Operational Domain

Person

Citizenship

Employer

Skill

certify

becertified

by

Special License

be administered by

administer

Special Work Term

issue

beissued

by

identify

beidentified

by

technical domain identifieractivity identifierfunction

position type

Location Type assign cond start dateassign cond end dateassign cond statusassign cond status date


country identifier



Employment TypeUnique identifier

Employment Activity

Authorized PurposePhysical Location

Key Mapped Primary Mapped Secondary Specialized Added

ClearanceActive Clearance

be

be

be

be

Sub-group

Direct Reports

Management Level

Job Name / Job Designation

Special Authorityassign entitle typeassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date

Work Assignment

SkillSkill level

person unique identifier(Personal Characteristics)

organization unique identifierEmployer TypeEmployer Name

DRAFT 29

Waterman & Hammer Mapping

need

beneeded

by

beneeded

by

need

PositionEntitlement


beneeded

by

be a member

of

composed of

Identity Credential

beutilized

by

Employment Related Authority

grant

begranted

by


be

be

group

Employee / Other Group Membership

manage

Management

be

be

Employee


Operational Domain

Person

Citizenship

Employer

Skill

certify

becertified

by

Special License

be administered by

administer

Special Work Term

issue

beissued

by

identify

beidentified

by

technical domain identifieractivity identifierfunction

position type

Location Type assign cond start dateassign cond end dateassign cond statusassign cond status date


country identifier



Employment TypeUnique identifier

Employment Activity

Authorized PurposePhysical Location

Key Mapped Primary Mapped Secondary Specialized Added

ClearanceActive Clearance

be

be

be

be

Sub-group

Direct Reports

Management Level

Job Name / Job Designation

Special Authorityassign entitle typeassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date

Work Assignment

SkillSkill level

person unique identifier(Personal Characteristics)

organization unique identifierEmployer TypeEmployer Name

DRAFT 30

Waterman & Hammer Values

Employee,Contractor,

Detail

Permanent, Temporary,

Virtual

Rater/Reviewer,Sworn Law

Enforcement Officer

Drive hazardous materials truck, prescribe narcotics

Probation,Disciplined,

Weekend ShiftVeteran, Volunteer,

Advisory Board Member

OPM Occupational Series

Supervisor,Program Lead,

Senior ExecutiveTeam Leader,Military Rank

State GovernmentLocal Government

Private industryForeign Government

Perform arrests, conduct criminal investigations,

system adminAl Queda,

Mexican Border,Enron Investigation,

etc.

need

beneeded

by

need

PositionEntitlement


be a member

of

composed of



be

be

be a subgroup of

group

Affiliation

be managed by

manage

Management

be

be

Position


Operational Domain

PersonOrganization

Skill

becertified

by

Skill Certificate

be administered by

administer


beissued

by

Identity Credential

identify

beidentified

by


level

esfCode

occupation


nippSectorCode


certificate unique identifiercertificationTypecertificationNamecertificationDate certificate expire datecertificate statuscertificate status datecertificate LOAcertification level



employeeNumber (FASC-N PI)


Assignment

Key Mapped Specialized Preference

Emergency Contact PreferenceemergencyContactPersonGivenNameemergencyContactPersonSurnameemergencyContactPersonTelephoneNumberemergencyContactPersonEmailemergencyContactPersonPreferenceIndicator

ClearancepersonSecurityClearanceclearanceDate

be

bebe

Contact PreferencetelephoneNumber

be

person unique identifierphotofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodebirthdatebirthplace

employeeRankText

organizationIdentifier (F-OI)organizationCategory (F-OC) organization name

personOrganizationAssociationCategory (FASC-N POA)

designatedRole

clearingAgency

certifyingauthority

issuingAgencyCode(FASC-N AC) usCitizen

Citizenship

personCitizenshipFIPS10-4Code

Federal ICAM BAE Mapping

DRAFT 31

PIV Card

chuidcardIssueDatecardExpirationDatecardStatuscardStatusDatechuidStatuschuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate

beneeded

by

beneeded

by

need

need

PositionEntitlement


be a member

of

composed of



be

be

be a subgroup of

group

Affiliation

be managed by

manage

Management

be

be

Position


Operational Domain

PersonOrganization

Skill

becertified

by

Skill Certificate

be administered by

administer


beissued

by

Identity Credential

identify

beidentified

by


level

esfCode

occupation


nippSectorCode





employeeNumber (FASC-N PI)


Assignment


Emergency Contact PreferenceemergencyContactPersonGivenNameemergencyContactPersonSurnameemergencyContactPersonTelephoneNumberemergencyContactPersonEmailemergencyContactPersonPreferenceIndicator


be

bebe

Contact PreferencetelephoneNumber

be

person unique identifierphotofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodebirthdatebirthplace

employeeRankText



designatedRole

clearingAgency

certifyingauthority


Citizenship


Federal ICAM BAE Values

DRAFT 32

PIV Card

chuidcardIssueDatecardExpirationDatecardStatuscardStatusDatechuidStatuschuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate

beneeded

by

beneeded

by

need

1 - Federal Government Agency2 - State Government Agency3 - Commercial Enterprise4 - Foreign Government

1 – Employee2 – Civil3 – Executive Staff4 – Uniformed Service5 – Contractor6 – Organizational Affiliate7 – Organizational Beneficiary

ACT - Active,SUS - SuspendedTER - Terminated

PRO-Provisional PER-Permanent

OC=1 – SP800-87 CodeOC=2 – State CodeOC=3 – Company CodeOC=4 – Country Code

1 Agriculture & Food2 Banking & Finance3 Chemical4 Commercial Facilities5 Dams6 Defense Industrial Base7 Emergency Services8 Energy9 Government Facilities10 Information Technology11 National Monuments & Icons12 Commercial Nuclear Reactors, Materials & Waste13 Postal & Shipping14 Public Health & Healthcare15 Telecommunications16 Transportation Systems17 Drinking Water & Water Treatment Systems18 Critical Manufacturing

SP800-87 Code(if FASC-N OC = 1)

need

PositionEntitlement

1 Transportation2 Communications3 Public Works & Engineering4 Firefighting5 Emergency Management6 Mass Care, Emergency Housing & Human Services7 Logistics Management and Resource Support 8 Public Health & Medical Services9 Search & Rescue10 Oil & Hazardous Materials Response11 Agriculture & Natural Resources12 Energy13 Public Safety & Security14 Long-Term Community Recovery15 External Affairs


coiMmemberOf

coiUserGroupRef

administer

hsinCoiGroup

Assignment

Affiliation

Identity Credential


Organization

be

be

grant

begranted

by

Technical Domain

departmentName

group

be managed bymanage

Supervisor /Sponsor

Position


Person

Citizenship

Skill

certify

becertified

by

Skill Certificate

be administered by


sponsorOrg

beissued

by

identify

beidentified

by


level

gidfunction

job title occupation

applicantOrgRoleFitCoiassign cond start dateassign cond end dateassign cond statusassign cond status date



country identifier




Contact InformationtelephoneNumberphoneExtensionstreet1Street2Street3email

localityNameStateOrProvinceNamepostalCodecouserUrlpreferedTimeZone

be

be

HISN Credential

uid/login nameuserPassworduniquePinloginSecurityQuesanswerSecurityQuestwoFactorModuleinvestigativeSource


appsreferenced app

be

be

person unique identifierBiometricspersonalTitlegivenNamemiddleNamesncnnameSuffixbirthDate, birthplacegender

jobRole

assign entitle identifierHSIN Accessassign entitle start dateassign entitle end dateuserActiveStatusassign entitle status date

organization unique identifierrelationship to US governmentname

DHS HSIN Mapping

DRAFT 33

beneeded

by

beneeded

by

need

be

be

ag

ency

OrO

rgan

izat

ion

Na

me

need

PositionEntitlement


accessReason

Operational Domain


DOD DMDC EAS Mapping

DRAFT 34

be a member

of

composed of


grant

begranted

by


be

be

Duty Organization Sub-Code

group

Affiliation

be managed by

manage

Management

be

be

Position


Operational Domain

Person

Citizenship

Organization

Skill

certify

becertified

by

Skill Certificate

be administered by


beissued

by

Identity Credential

identify

beidentified

by


levelassign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date




Guard\Reserve Status Code affil cond start dateaffil cond end dateaffil cond statusaffil cond status date


DOD EDI PI / Enterprise User NameEnterprise Display Name

assign entitle identifierAssigned Clearance For Accessassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date

Assignment

Duty Occupational Code

Key Mapped Specialized

Country Of Citizenship

person unique identifierBiometricsSSN (PN_ID)Person Last NamePerson First NamePerson Birth Datebirthplace

RankPay Plan, Pay Grade

Primary Occupational Code

Persona Type Code / Personnel Category Code

US Citizenship Status

Indicator Code

beneeded

by

beneeded

by

need

OMP Standard Code relationship to US governmentname

Ad

min

istr

ativ

e O

rgan

izat

ion

Co

de

Du

ty O

rga

niz

ati

on

C

od

e

be

be

CAC/PIVcard authentication certificatecard barcode idcredentialTypeCodefingerprintimageFASC-N


issuingAgencyCode(FASC-N AC)

need

PositionEntitlement

DRAFT

pos entitle identifierposl entitle permissionClearance Eligibilityposl entitle end dateposl entitle statusposl entitle status date

be a member

of

composed of


grant

begranted

by


be

be

be a subgroup of

group

Affiliation

be managed by

manage

Management

be

be

Position


Operational Domain

Person

Citizenship

Organization

Skill

certify

becertified

by

Skill Certificate

be administered by

administer


issuer_id

beissued

by

Id_Credential

identify

beidentified

by


level





country identifier


serial numbercredential secretcredential name (DN,FASCN card id)create_timeexpirationstatuscredential status datecredential LOA

person association with organizationname (FASC-N person id)


Assignment

esfCode

person unique identifierFingerprintFull namebirthdatebirthplace


Key Mapped Specialized

nippSectorCode

role

DHS F/ERO Mapping

DRAFT 35

beneeded

by

beneeded

by

need

need

PositionEntitlement

DRAFT


Affiliation

be a member

of

composed of

Technical Domain

Supervisor*

Employee / Assignment *


Operational Domain

Language

Person

Skill Certificate

Citizenship

Hire / Start

Employer / Assignment /Identity Provider*


Assignment

GFIPM V2 Concept Model

DRAFT 36

Electronic Identity

Activity

country identifier

be a subgroup

of

group

certify

becertified

by

need

beneeded

bygrant

be

be

be managed bymanage

be

be

be administered by

Organization Category Code

issue

beissued

by

identify

beidentified

by


Management Level

Position Name;Rank

Occupation Code; Affiliation Category Code;Occupation Category Code


NIPP Sector Code

skill identifierprimary

person unique identifierPhoto, Signature,Fingerprint SetName PrefixGiven NameMiddle NameSur NameName SuffixFull NameCommon NameDisplay NameBirth dateSex, Race,Height, Weight, Eye Color, Hair Color,


affil cond typeStart DateEnd DateStatusaffil cond status date

ORI; IdGeneral Category CodeName; Sub Unit Name


role

beneeded

by

need

Military Status Code; Employment Category CodeFederation Id1; Local Id2; Social Security Number3; Visa Number; Passport Id, Employee Id;

credential unique identifierEffective DateExpiration DateStatus CodeProofing Date Authentication LOA;Proofing LOA, CategoryPKI Certificate

activity identifierEmergency Support FunctionOrganization Category Code

Contact InformationTelephoneNumberFAX NumberPost Office BoxStreet AddressCity NameState Code

County CodeCountry CodePostal CodeTime ZoneEmail address

Driver’s License

Driver’s license Number

be

be

FederationResources

Federation Idfederation logon

LocalResources

Local IdNetwork logon

berepresented

by

represent

State Government – driver licenseU.S. Government – passportNCICMilitary Branch

Citizen Entry

Passport IdCountry Code

GFIPM:IDP:JNET:USER - federationSocial Security AdministrationEmployer – local

Non-citizenEntry

Visa NumberVisa Category

berepresented

by

represent

be

be

bebe

Emergency Contact InformationTelephoneNumberEmail

Full Name

ClearanceLevelEffective DateExpiration DateSanction

Sec

uri

ty C

lear

ance

G

ran

tin

g A

gen

cy

NCIC Certification

PositionEntitlement


Point of ContactStreet Address, PO BoxCity Name, Postal Code,County, State, CountryURIFull Name,Email, Telephone Number

Legal Jurisdiction

Employment Jurisdiction

be

be

bebe

be

bebe

be

bebe


be administered by

Key Common DoD DMDC Federal ICAM BAE


clearingAgency

Federal ICAM BAE & DOD DMDC Mapping Overlay

DRAFT 37

CAC/PIV Card

chuidcardIssueDate/cardExpirationDatecardStatus/cardStatusDatechuidStatus/chuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate

be a member

of

composed of



be

be

group

Affiliation

be managed by

manage

Management

be

be

Position


Operational Domain

PersonOrganization

Skill

becertified

by

Skill Certificate


beissued

by

Identity Credential

identify

beidentified

by


level

esfCode

occupation


nippSectorCode



affil cond start dateaffil cond end dateaffil cond statusaffil cond status date


employeeNumber (FASC-N PI)Enterprise Display Name


Assignment

be

bebe

be

photofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodeSSN (PN_ID)Person Birth Date birthplace

employeeRankTextPay Plan, Pay Grade



designatedRole

certifyingauthority


Citizenship


beneeded

by

beneeded

by

need

need

AffiliationEntitlement

affil entitle identifierClearance Eligibility entitle start dateaffil entitle end dateaffil entitle statusaffil entitle status date

Duty Organization Sub-Code

Du

ty O

rga

niz

ati

on

C

od

e

Ad

min

istr

ativ

e O

rgan

izat

ion

Co

de

Persona Type Code / Personnel Category Code

Primary Occupational Code

Guard\ReserveStatus Code

card barcode idcredentialTypeCode

Contact Information

38

• Karyn Higa-Smith (DHS S&T)– Program Manager, Identity Management– [email protected]

• Thomas Smith (JHU/APL)– Senior Engineer, DHS S&T IdM Testbed– [email protected]

• Maria Vachino (JHU/APL)– Senior Engineer, DHS S&T IdM Testbed– [email protected]

Backup Slides

Additional Information

40

IEEE HST 2010 Conference Proceedings:

Modeling the Federal User Identity, Credential, andAccess Management (ICAM) Decision Space toFacilitate Secure Information Sharing

Why A Conceptual Data Model?

• Captures Information Requirements• Problem specific• Technology-neutral • Information representation, not process or policy• Identifies business terms• Establishes contextual consensus• Expresses data semantics

• Artifacts• Entities• Attributes• Relationships• Identifiers• Problem Terms

Mind Your Business: Serving Business with Data Models that Focus Exclusively on Data, J. Maguire, 11-26-2008, Burton Group

41

Concept Data Model Uses

• Knowledge management• Framework for technology insertion – logical/physical

modeling• Establishes conceptual foundation• Baselines technological insertion

• Aligns organizational information perception• Identifies important & distinguishing information• Establishes artifacts – entities, attributes, relationships, identifiers,

problem terms• Improve productivity and agility• Semantic consensus

• Identifies schema translation requirements• Starting point for information sharing agreements

• Authoritative sources• Identifies policy information requirements

• Policy creation & refinement • Identifies information valued by the enterprise• Identifies policy overlaps and gaps

42

modeling the cross-organizational user access control decision space to facilitate secure...

Documents

identifier assign

start date assign

status date role

end date pos

start date pos

status pos

identifier pos

share information slide