ARBAC 97 (ADMINISTRATIVE RBAC)

Slides:



Advertisements
Similar presentations
Advanced Piloting Cruise Plot.
Advertisements

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Role Based Access Control
© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati
Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
INFS 767 Fall 2003 Administrative RBAC
© 2005 Ravi Sandhu Administrative Scope (continued) (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
© 2005 Ravi Sandhu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions
Year 6 mental test 10 second questions
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Turing Machines.
PP Test Review Sections 6-1 to 6-6
ABC Technology Project
EU market situation for eggs and poultry Management Committee 20 October 2011.
2 |SharePoint Saturday New York City
Green Eggs and Ham.
VOORBLAD.
BIOLOGY AUGUST 2013 OPENING ASSIGNMENTS. AUGUST 7, 2013  Question goes here!
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Universität Kaiserslautern Institut für Technologie und Arbeit / Institute of Technology and Work 1 Q16) Willingness to participate in a follow-up case.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Januar MDMDFSSMDMDFSSS
Analyzing Genes and Genomes
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
1 Chapter 13 Nuclear Magnetic Resonance Spectroscopy.
Energy Generation in Mitochondria and Chlorplasts
Presentation transcript:

ARBAC 97 (ADMINISTRATIVE RBAC) Ravi Sandhu Venkata Bhamidipati Ed Coyne Srinivas Ganta Qamar Munawer Charles Youman

ARBAC97 DECENTRALIZES user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)

ADMINISTRATIVE RBAC ... ROLES PERMISSIONS USERS CAN- MANAGE ADMIN This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

ADMINISTRATIVE RBAC RBAC2 RBAC1 RBAC0 RBAC3 ARBAC2 ARBAC1 ARBAC0

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

USER-ROLE ASSIGNMENT CAN-ASSIGN-USER ARole Prereq Role Role Range PSO1 ED [E1,PL1) PSO2 ED [E2,PL2) DSO ED (ED,DIR) SSO E [ED,ED] SSO ED (ED,DIR]

USER-ROLE ASSIGNMENT CAN-ASSIGN-USER ARole Prereq Cond Role Range PSO1 ED [E1,E1] PSO1 ED & ¬ P1 [Q1,Q1] PSO1 ED & ¬ Q1 [P1,P1] PSO2 ED [E2,E2] PSO2 ED & ¬ P2 [Q2,Q2] PSO2 ED & ¬ Q2 [P2,P2]

USER-ROLE ASSIGNMENT CAN-REVOKE-USER ARole Role Range PSO1 [E1,PL1) PSO2 [E2,PL2) DSO (ED,DIR) SSO [ED,DIR]

USER-ROLE ASSIGNMENT REVOCATION WEAK REVOCATION revokes explicit membership only STRONG REVOCATION revokes explicit and implicit membership revocation propagates upwards to senior roles defined in terms of weak revoke

PERMISSION-ROLE ASSIGNMENT dual of user-role assignment can-assign-permission can-revoke-permission weak revoke strong revoke (propagates down)

PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION ARole Prereq Cond Role Range PSO1 PL1 [E1,PL1) PSO2 PL2 [E2,PL2) DSO E1  E2 [ED,ED] SSO PL1  PL2 [ED,ED] SSO ED [E,E]

PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION ARole Role Range PSO1 [E1,PL1] PSO2 [E2,PL2] DSO (ED,DIR) SSO [ED,DIR]

RRA97 Extended URA97 RRA97 Extended PRA97 UP-roles Users and Permissions Group roles Users only Ability roles Permissions only Extended URA97 RRA97 Extended PRA97

RRA97 OBJECTIVE Decentralization of role-role relationships Administrative role autonomy within a range. Encapsulation of authority Ranges.

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

Range Hierarchy Range Create Range Encap. Range Authority Range

RRA97 - Definitions Range: (x, y) = {r : Roles | x < r < y} Authority Range: A range referenced in can-modify relation Junior Authority range: The range (x, y) is junior to range (x’, y’) if ( x  x’  y’  y)  ( x > x’  y’ > y) The range (x’, y’) is a senior range

RRA97 - Definitions Partial Overlap of Ranges: The ranges Y and Y’ partially overlap if Y  Y’   and Y  Y’  Y’  Y

RRA97 - Definitions Encapsulated Authority Range: The authority range (x, y) is said to be encapsulated if r1  (x, y) and r2  (x, y) r2 > r1  r2 > y  r2 < r1  x < r2

Encapsulated Range (x, y)

Non-encapsulated Range (x, y)

RRA97 - Definitions Set of Authority Ranges: {x, y : roles | (x, y) is an authority range} Immediate Authority Range of role r: The authority range (x, y) is immediate authority range of role r  (x, y) if (x’, y’)  set of AR | (x’, y’)  (x, y)  r  (x’, y’)

RRA97 - Definitions Create Range: Immediate Senior roles: The range (x, y) is a create range if (a) ARimmediate(x) = ARimmediate(y)  (b) x = End point of ARimmediate(y)  (c) y = End point of ARimmediate(x) Immediate Senior roles: r1 > immediate r2 if r’  roles  r’ > r2  ( r’  r1)

Create Range A y y‘ r1 r2 r4 r3 x x’ B

RRA97 - Definitions Immediate Junior Roles: Inactive Roles: r1 < immediate r2 r’  roles  r’ > r1  ( r’ < r2) Inactive Roles: A user associated to it cannot use it. Inheritance of permissions is not affected. Permissions and users can be revoked.

INSERT ROLE Role is inserted one at a time. Roles can be inserted only in create range. Create-role(r, (x, y)) inserts a role r in create range (x, y) such that it is junior to y and senior to x.

Example: Create-role(r, (r1, r2)) y r1 r r2 x

DELETE ROLE Roles referred in can-assign,can-revoke and can-modify cannot be deleted. Roles can be deleted only if they are empty.

DELETE ROLE (Continued) RELAXATIONS: Roles referred in can-assign,can-revoke and can-modify can be made inactive. Role is deleted only after its permissions are assigned to immediate senior and users to immediate junior roles.

INSERTION OF AN EDGE Implied edges are not considered. Inserted only between incomparable roles (No Cycles) Inserted one at a time. The edge AB is inserted if (a) ARimmediate(A) = ARimmediate(B) and (b) For a junior authority range (x, y): (A = y  B > x) or (B = x  A < y) must ensure encapsulation of (x, y).

DELETION OF AN EDGE Deleted one at a time. Implied edges are no considered. The edges in transitive reduction are candidates for deletion. Edges connecting the end points of an authority range cannot be deleted. When edges AB is deleted then necessary edges must be inserted to preserve implications.

System Calls To create a role in create range Y create-role(r, Y) To delete a role r delete-role(r) To add edge AB add-edge(A, B) To delete an edge AB delete-edge(A, B) To inactivate a role r inactivate-role (r) To activate a role r Activate-role (r)

Strong Deletions Strong deletion of role. Strong deletion of an edge.