OM-AM and RBAC Ravi Sandhu* www.list.gmu.edu Laboratory for Information Security Technology (LIST) George Mason University

THE OM-AM WAY A What? s u Objectives r Model a n Architecture c Mechanism How?

OM-AM AND MANDATORY ACCESS CONTROL (MAC) u r a n c e What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) u r a n c e What? How? Owner-based discretion numerous ACLs, Capabilities, etc

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) u r a n c e What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc.

Server-Pull Architecture Client Server User-role Authorization Server

User-Pull Architecture Client Server User-role Authorization Server

Proxy-Based Architecture Client Proxy Server Server User-role Authorization Server