OM-AM and RBAC Ravi Sandhu * Laboratory for Information Security Technology (LIST) George Mason University

2 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

3 OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels AssuranceAssurance

4 OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? How? Owner-based discretion numerous ACLs, Capabilities, etc AssuranceAssurance

5 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

6 Server-Pull Architecture ClientServer User-role Authorization Server

7 User-Pull Architecture ClientServer User-role Authorization Server

8 Proxy-Based Architecture ClientServer Proxy Server User-role Authorization Server