ARBAC99 (Model for Administration of Roles) Ravi Sandhu Qamar Munawer George Mason University Laboratory for Information Security Technology www.list.gmu.edu

RBAC96 (simplified) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

ARBAC97 DECENTRALIZES user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy (RRA99)

ARBAC99 EXTENDS ARBAC97 URA99 PRA99 RRA99 mobile and immobile membership prerequisite-based revocation PRA99 dual of URA99 RRA99 no change

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

Motivation for ARBAC99 URA97 consequences Users can use permissions of the role and junior roles. User become eligible for assignment to other roles.

Motivation for ARBAC99 Examples that require decomposition of these two aspects: trainee visitor consultant

New Concepts in URA99 Mobile Users: Immobile Users: user ‘u’ can use permissions of role x and administrative role can use this membership to put user ‘u’ in another role. Immobile Users: user ‘u’ can use permissions of role x but administrative role cannot use this membership to put user ‘u’ in another role.

URA99 Model Builds upon the concept of mobile and immobile membership of users. To formalize this we consider a role x as consisting of two sub-roles Mx and IMx. The membership in Mx in mobile where as in IMx is immobile.

Role in URA99 Definition: For a given set of roles R1 we define a role in URA99 as R = {Mx, IMx | x Î R1}

User Memberships in URA99 There are four kinds of user-role memberships in URA99. Explicit Mobile Member EMx u Î EMx @ (u, Mx) Î UA Explicit Immobile Member EIMx u Î EIMx @ (u, IMx) Î UA Implicit Mobile Member ImMx u Î ImMx @ ( $x’ > x) (u, Mx’) Î UA Implicit Immobile Member ImIMx u Î ImIMx @ ( $x’ > x) (u, IMx’) Î UA

Precedence Rule in URA99 URA99 allows a user to have all four kinds of memberships in a role at the same time. only one will be effective by the following strict precedence rule EMx > EIMx > ImMx > ImIMx

Inheritance of Mobility and Immobility X2 X3 X1 X1 X3 X2 X1 X2 Divergent Multiple Single

Prerequisite condition for URA99 Grant Model URA97 prerequisite condition is quite straight forward. In URA99 it is evaluated for a user u by interpreting x to be true if u Î EMx Ú ( u Î ImMx Ù u Ï EIMx) and Øx to be true if u ÏEMx Ù uÏEIMx Ù uÏImMx Ù uÏImIMx

Can-assign relations for URA99 Grant Model Assignment as Mobile membership is authorized by can-assign-M Í AR ´ CR ´ 2R Assignment as Immobile membership is authorized by can-assign-IM Í AR ´ CR ´ 2R

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

Can-assign-M

Can-assign-IM

URA99 Grant Model authorizations no implication in general that authority to grant mobile membership implies authority to grant immobile memberships.

URA99 - Revoke Model URA99 revoke model fixes a lack of symmetry between grant and revoke models. It deals with revocation of mobile and immobile memberships. URA99 introduces two relations to authorize revocation.

Can-revoke relations for URA99 Revoke Model Revocation as Mobile membership is authorized by can-revoke-M Í AR ´ CR ´ 2R Revocation as Immobile membership is authorized by can-revoke-IM Í AR ´ CR ´ 2R

Can-revoke-M

Can-revoke-IM

Prerequisite condition for URA99 - Revoke Model For revoke model we do not distinguish the mobile and immobile memberships We interpret x to be true iff u Î EMx Ú u Î ImMx Ú u Î IMx Ú u Î ImIMx and Øx to be true iff u Ï Emx Ù u Ï EIMx Ù u Ï ImMx Ù u Ï ImIMx

Relation between URA97 and URA99 If all users are restricted to be mobile then URA99 is identical with URA97. This can be achieved by setting can-assign-IM and can-revoke-IM to be empty.

PRA99 - Model Like user, permissions can also be assigned to roles as mobile and immobile. PRA99 is exact dual of URA99. In PRA99 the implicit permission is inherited upwards in the hierarchy.

Conclusion ARBAC99 is first model that incorporates mobile and immobile users and permissions Basic intuition of ARBAC97 is not altered It is a useful extension to ARBAC97