INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

Slides:



Advertisements
Similar presentations
1
Advertisements

Cyber-Identity, Authority and Trust in an Uncertain World
Role Based Access Control
Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
© Ravi Sandhu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology.
© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati
ARBAC 97 (ADMINISTRATIVE RBAC)
Role Activation Hierarchies Ravi Sandhu George Mason University.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
OM-AM and RBAC Ravi Sandhu * Laboratory for Information Security Technology (LIST) George Mason University.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
© 2005 Ravi Sandhu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
PP Test Review Sections 6-1 to 6-6
2 |SharePoint Saturday New York City
VOORBLAD.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
Analyzing Genes and Genomes
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
Energy Generation in Mitochondria and Chlorplasts
Chapter 9: Using Classes and Objects. Understanding Class Concepts Types of classes – Classes that are only application programs with a Main() method.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
1 © Ravi Sandhu OM-AM and PEI Prof. Ravi Sandhu. 2 © Ravi Sandhu THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
OM-AM and RBAC Ravi Sandhu*
ASCAA Principles for Next-Generation Role-Based Access Control
Engineering Authority and Trust in Cyberspace: George Mason University
Role-Based Access Control George Mason University and
Presentation transcript:

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University

2 © Ravi Sandhu AUTHORIZATION, TRUST AND RISK Information security is fundamentally about managing authorization and trust so as to manage risk

3 © Ravi Sandhu SOLUTIONS OM-AM RBAC PKI and others

4 © Ravi Sandhu THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

5 © Ravi Sandhu LAYERS AND LAYERS Multics rings Layered abstractions Waterfall model Network protocol stacks OM-AM

6 © Ravi Sandhu OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels AssuranceAssurance

7 © Ravi Sandhu OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? How? Owner-based discretion numerous ACLs, Capabilities, etc AssuranceAssurance

8 © Ravi Sandhu OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

9 © Ravi Sandhu ROLE-BASED ACCESS CONTROL (RBAC) A users permissions are determined by the users roles rather than identity or clearance roles can encode arbitrary attributes multi-faceted ranges from very simple to very sophisticated

10 © Ravi Sandhu WHAT IS THE POLICY IN RBAC? RBAC is a framework to help in articulating policy The main point of RBAC is to facilitate security management

11 © Ravi Sandhu RBAC SECURITY PRINCIPLES least privilege separation of duties separation of administration and access abstract operations

12 © Ravi Sandhu RBAC96 IEEE Computer Feb Policy neutral can be configured to do MAC roles simulate clearances (ESORICS 96) can be configured to do DAC roles simulate identity (RBAC98)

13 © Ravi Sandhu WHAT IS RBAC? multidimensional open ended ranges from simple to sophisticated

14 © Ravi Sandhu RBAC CONUNDRUM turn on all roles all the time turn on one role only at a time turn on a user-specified subset of roles

15 © Ravi Sandhu RBAC96 FAMILY OF MODELS RBAC0 BASIC RBAC RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS

16 © Ravi Sandhu RBAC0 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS

17 © Ravi Sandhu PERMISSIONS Primitive permissions read, write, append, execute Abstract permissions credit, debit, inquiry

18 © Ravi Sandhu PERMISSIONS System permissions Auditor Object permissions read, write, append, execute, credit, debit, inquiry

19 © Ravi Sandhu PERMISSIONS Permissions are positive No negative permissions or denials negative permissions and denials can be handled by constraints No duties or obligations outside scope of access control

20 © Ravi Sandhu ROLES AS POLICY A role brings together a collection of users and a collection of permissions These collections will vary over time A role has significance and meaning beyond the particular users and permissions brought together at any moment

21 © Ravi Sandhu ROLES VERSUS GROUPS Groups are often defined as a collection of users A role is a collection of users and a collection of permissions Some authors define role as a collection of permissions

22 © Ravi Sandhu USERS Users are human beings or other active agents Each individual should be known as exactly one user

23 © Ravi Sandhu USER-ROLE ASSIGNMENT A user can be a member of many roles Each role can have many users as members

24 © Ravi Sandhu SESSIONS A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of

25 © Ravi Sandhu PERMISSION-ROLE ASSIGNMENT A permission can be assigned to many roles Each role can have many permissions

26 © Ravi Sandhu MANAGEMENT OF RBAC Option 1: USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer Option 2: Use RBAC to manage RBAC

27 © Ravi Sandhu RBAC1 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES

28 © Ravi Sandhu HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

29 © Ravi Sandhu HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

30 © Ravi Sandhu PRIVATE ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer Hardware Engineer Software Engineer

31 © Ravi Sandhu EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

32 © Ravi Sandhu EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

33 © Ravi Sandhu EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

34 © Ravi Sandhu EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

35 © Ravi Sandhu RBAC3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

36 © Ravi Sandhu CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context

37 © Ravi Sandhu CONSTRAINTS Mutually Exclusive Permissions Static Exclusion: The same role should never be assigned both permissions Dynamic Exclusion: The same role can never hold both permissions in the same context

38 © Ravi Sandhu CONSTRAINTS Cardinality Constraints on User-Role Assignment At most k users can belong to the role At least k users must belong to the role Exactly k users must belong to the role

39 © Ravi Sandhu CONSTRAINTS Cardinality Constraints on Permissions-Role Assignment At most k roles can get the permission At least k roles must get the permission Exactly k roles must get the permission

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.