Role-Based Administration of User-Role Assignment: The URA97 Model and its Oracle Implementation Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University

OUTLINE RBAC96 review URA97 model URA97 Oracle implementation Closing remarks

RBAC96 ... ROLES PERMISSIONS USERS CONSTRAINTS SESSIONS ADMIN ROLES This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96: RBAC0 ... ROLES PERMISSIONS USERS SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96: RBAC1 ... ROLES PERMISSIONS USERS SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96 : RBAC2 ... ROLES PERMISSIONS USERS CONSTRAINTS SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96 : RBAC3 ... ROLES PERMISSIONS USERS CONSTRAINTS SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96 ... ROLES PERMISSIONS USERS CONSTRAINTS SESSIONS ADMIN ROLES This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

RBAC96 RBAC2 RBAC1 RBAC0 RBAC3 ARBAC2 ARBAC1 ARBAC0 ARBAC3

SCALE AND RATE OF CHANGE roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to user-role assignment permission-role assignment Less frequent changes for role hierarchy

ADMINISTRATIVE RBAC user-role assignment permission-role assignment role-role hierarchy

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

URA97 GRANT MODEL: can-assign ARole Prereq Role Role Range PSO1 ED [E1,PL1) PSO2 ED [E2,PL2) DSO ED (ED,DIR) SSO E [ED,ED] SSO ED (ED,DIR]

URA97 GRANT MODEL : can-assign ARole Prereq Cond Role Range PSO1 ED [E1,E1] PSO1 ED & ¬ P1 [Q1,Q1] PSO1 ED & ¬ Q1 [P1,P1] PSO2 ED [E2,E2] PSO2 ED & ¬ P2 [Q2,Q2] PSO2 ED & ¬ Q2 [P2,P2]

URA97 GRANT MODEL “redundant” assignments to senior and junior roles are allowed are useful

URA97 REVOKE MODEL WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment

URA97 REVOKE MODEL STRONG REVOCATION revokes explicit membership in a role and its seniors authorized only if corresponding weak revokes are authorized alternatives all-or-nothing revoke within range

URA97 REVOKE MODEL : can-revoke ARole Role Range PSO1 [E1,PL1) PSO2 [E2,PL2) DSO (ED,DIR) SSO [ED,DIR]

ORACLE ROLES support RBAC1 administrative model has strong discretionary flavor administrative authority on role implies can grant role to any user or role can grant role to any role anyone with grant option on a permission can grant it to any role

URA97 IN ORACLE administrative option for all roles is retained solely with DBA never given to any user use generic stored procedures with URA97 can-assign and can-revoke implemented as relations

URA97 IN ORACLE Oracle primitives for traversing role hierarchy need to be extended

can-assign in dnf ER DIAGRAM Admin Role PreCondition Min_Int Min Role Max Role Max_Int PreCondition AND set name NOT set name CAN_ASSIGN4 CAN_ASSIGN3 AND set name AND roles NOT set name NOT roles

can-revoke RELATION CAN_REVOKE Admin Role Min_Int Min Role Max Role Max_Int

ORACLE STORED PROCEDURES can extend Oracle access control model limitation stored procedure can determine who the user is BUT cannot determine active roles of the user

URA97 STORED PROCEDURES ASSIGN(user, trole, arole) WEAK_REVOKE(user, trole, arole) STRONG_REVOKE(user, trole, arole) user: user being added to trole trole: target role arole: administrative role used for this operation due to Oracle limitations

CLOSING REMARKS: PREVIEW OF WORK IN PROGRESS user-role assignment URA97 and Oracle, this paper other platforms permission-role assignment PRA97, dual of URA97 Oracle implementation

CLOSING REMARKS: PREVIEW OF WORK IN PROGRESS role-role hierarchy user-only roles (groups): like URA97 permission-only roles: like PRA97 user and permission roles: RRA97