PBDM: A Flexible Delegation Model in RBAC Xinwen Zhang, Sejong Oh George Mason University Ravi Sandhu George Mason University and NSD Security
Outline Motivations Related Works PBDM0: user-to-user delegation PBDM1: user-to-user delegation PBDM2: role-to-role delegation Conclusions and future work
Motivations Permission level delegations are needed in many cases:
Motivations(contd) User-to-user delegations –John delegates some of his permissions to Jenny when he is out of town Role-to-role delegations –A professor can delegate check- permission to a TA Multi-step delegation and revocation –Jenny can delegate some permissions from John to Jim
Related Works RBDM0: –E.Barka et al, NISSC 2000, ACSAC 2000 –A delegation framework –User-to-user delegation –Role-level delegation RDM2000 –L.Zhang et al, SACMAT 2002 –Role-level delegation –Multi-step delegation
PBDM0 Permission-based Delegation Model A user-to-user delegation model –John creates a temporary delegation role D1. –John assigns the permission change_schedule" to D1 with permission- role assignment and role PE to D1 with role-role assignment. –John assigns Jenny to D1 with user-role assignment.
PBDM0 RR: regular roles DTR: delegation roles Controlled by security administrator: UAR: user-regular role assignment PAR: permission-regular role assignment Controlled by individual user: UAD: user-delegation role assignment PAD: permission-delegation role assignment
PBDM0 RuleUsers assigned regular role Pre_conP_rangeM PL QE PM PE PJ PD {confirm_program} {change_schedule, PE} {error_report} {check_prod_plan} 1
PBDM1 Problems in PBDM0: –A user can create delegation role by his discretion. Invalid permission flow can happen with malicious user. There reason is that there is no security administrator involvement in delegation. –Cannot support role-to-role delegation, since delegation role cannot be assigned to a regular role. PBDM1: –Extension from PBDM0 –Permissions of a role are separated into two parts: regular and delegatable. –Only delegatable permissions can be used to create delegation roles. –User-to-user delegation
PBDM1 RR: regular roles DBR: delegatable roles DTR: delegation roles One-to-one map between RR and DBR
PBDM1
UAR, UAB, PAR, and PAB are managed by security administrator. UAD and PAD are managed by individual user. Revocation options: –By a user: Remove a user from delegatees, that is, revoke the user-delegation role assignment. Remove one or more pieces of permissions from delegation role. Revoke delegation role. –By a security administrator: Remove one or more pieces of permission from a delegatable role to its regular role. Revoke a user from regular role and delegatable role.
PBDM2 Extension from PBDM1 A role-to-role delegation model A role is separated into three layers: –Regular role(RR): permissions cannot be delegated. –Fixed delegatable role(FDBR): permission can be delegated. –Temporal delegatable role(TDBR): inherit permissions from delegation roles with role-role assignment(RAD). Delegation roles (DTR) are assigned to temporal delegatable role –Since there is no role hierarchy with TDBR, illegal permission flow will not happen.
PBDM2 A delegation role D3 owned by PL and delegated to QE: –Create a temporary delegation role D3 –assign the permission change_schedule" to D3 –assign role PE to D3 –Assign D3 to QE
PBDM2 RR, FDBR, TDBR, DTR RRH, FDBRH UAR, UAFB, UATB PAR, PAFB, PADB RAD: delegation role-temporal delegatable role assignment
PBDM2 Revocation options: –Remove one or more pieces of permissions from delegation role. –Revoke delegation role owned by a fixed delegatable role. –Remove one or more pieces of permission from a fixed delegatable role to its regular role.
Conclusions and Future Work Conclusions: –Present a permission-based delegation model family, PBDM0, PBDM1, and PBDM2. –Support user-to-user and role-to-role delegation –Support multi-step delegation –Support multi-option revocation –Flexible delegation administration Future work: –Constraints in RBAC delegation, such as separation of duty –Delegation management in decentralized environment