© 2005 Ravi Sandhu www.list.gmu.edu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.

Slides:



Advertisements
Similar presentations
Delta Confidential 1 5/29 – 6/6, 2001 SAP R/3 V4.6c PP Module Order Change Management(OCM)
Advertisements

Advanced Piloting Cruise Plot.
Our library has two forms of encyclopedias: Hard copy and electronic versions. The first is simply the old-fashioned "book on the shelf" type of encyclopedia.
Role Based Access Control
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati
ARBAC 97 (ADMINISTRATIVE RBAC)
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
INFS 767 Fall 2003 Administrative RBAC
© 2005 Ravi Sandhu Permissions and Inheritance (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
© 2005 Ravi Sandhu Administrative Scope (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George.
© 2005 Ravi Sandhu Administrative Scope (continued) (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology.
© 2005 Ravi Sandhu Role Usage and Activation Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
UNITED NATIONS Shipment Details Report – January 2006.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts
Year 6 mental test 10 second questions
Richmond House, Liverpool (1) 26 th January 2004.
ABC Technology Project
1 Undirected Breadth First Search F A BCG DE H 2 F A BCG DE H Queue: A get Undiscovered Fringe Finished Active 0 distance from A visit(A)
VOORBLAD.
1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.
“Start-to-End” Simulations Imaging of Single Molecules at the European XFEL Igor Zagorodnov S2E Meeting DESY 10. February 2014.
BIOLOGY AUGUST 2013 OPENING ASSIGNMENTS. AUGUST 7, 2013  Question goes here!
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
© 2012 National Heart Foundation of Australia. Slide 2.
Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Addition 1’s to 20.
25 seconds left…...
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Januar MDMDFSSMDMDFSSS
Week 1.
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
PSSA Preparation.
Immunobiology: The Immune System in Health & Disease Sixth Edition
Immunobiology: The Immune System in Health & Disease Sixth Edition
CpSc 3220 Designing a Database
Presentation transcript:

© 2005 Ravi Sandhu Access Control Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2005 Ravi Sandhu 2 RBAC96 Model

© 2005 Ravi Sandhu 3 ARBAC97 User-Role Assignment: URA97 Permission-Role Assignment: PRA97 Role-Role Assignment: RRA97 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages

© 2005 Ravi Sandhu 4 Example Role Hierarchy

© 2005 Ravi Sandhu 5 Example Administrative Role Hierarchy

© 2005 Ravi Sandhu 6 Abilities, Groups and UP-Roles

© 2005 Ravi Sandhu 7 Four operations Create role Delete role Insert edge Delete edge Authorized by a single relation can-modify More complex operations can be built from these Chief Security Officer can bypass all these controls

© 2005 Ravi Sandhu 8 can-modify not a typo Authority range must be encapsulated To be discussed later

© 2005 Ravi Sandhu 9 Example Role Hierarchy DSOPSO1

© 2005 Ravi Sandhu 10 Semantics of create role Specify immediate parent and child These must be within the can-modify range or be one of the endpoints of the range Immediate parent must be senior to immediate child If junior will introduce cycle If incomparable will introduce a new edge (so introduce the new edge first and then create the new role) Immediate parent and immediate child must constitute a create range (prior to creation) To be discussed later

© 2005 Ravi Sandhu 11 Semantics of delete role Deletion of a role preserves all transitive edges Deletion that causes dangling references is prohibited Prohibit deletion of roles used in can_assign, can_revoke, can_modify OR Deactivate these roles when they are deleted. Inactive roles cannot be activated in a session and new users and permissions cannot be added. Preserve permissions and users in a deleted role Only empty roles can be deleted OR Users pushed down to immediately junior roles and permissions are pushed up to immediately senior roles

© 2005 Ravi Sandhu 12 Semantics of insert edge Edges can be inserted only between incomparable roles Edge insertion must preserve encapsulation of authority ranges To be discussed

© 2005 Ravi Sandhu 13 Semantics of delete edge Edges can be deleted only if they are not transitively implied Deleting an edge preserves transitive edges Some of which will become visible in the Hasse diagram Cannot delete an edge between the endpoints of an authority range To be discussed

© 2005 Ravi Sandhu 14 Edge insertion anomaly DSOPSO1

© 2005 Ravi Sandhu 15 Edge insertion anomaly Edge insertion by PSO1 in range (E1,PL1) impacts relationship between X and Y outside the PSO1 range

© 2005 Ravi Sandhu 16 Edge insertion anomaly Let it happen Do not allow X and Y to be introduced (by DSO) Do not allow PSO1 to insert edge from QE1 to PE1

© 2005 Ravi Sandhu 17 Role Ranges typo

© 2005 Ravi Sandhu Range Definitions Rang e Create Range Encapsulated Range Authority Range

© 2005 Ravi Sandhu 19 Encapsulated Role Ranges typo

© 2005 Ravi Sandhu 20 Encapsulated Role Ranges DSOPSO1 Encapsulated (E1,PL1) (E2,PL2) (ED,DIR) (E,DIR) Non-encapsulated (E,PL1) (E,PL2) (E,E1) (E,E2)

© 2005 Ravi Sandhu 21 Encapsulated Role Ranges Encapsulated (x,y) (r2,y) (B,A) Non-encapsulated (x,y) (B,y)

© 2005 Ravi Sandhu 22 Encapsulated Role Ranges Encapsulated (r2,y) (B,A) (Non-encapsulated (x,y) (B,y)

© 2005 Ravi Sandhu 23 Create Ranges

© 2005 Ravi Sandhu 24 Create Ranges Authority ranges (B,A) (x,y) Create ranges dashed lines --- B is end point of AR immediate (y) A is end point of AR immediate (r3) A is end point of AR immediate (x) these are not create ranges

© 2005 Ravi Sandhu 25 Preserving encapsulation on edge insertion

© 2005 Ravi Sandhu 26 Preserving encapsulation on edge insertion Authority ranges (B,A) (x,y) Insertion of (y,r3) is ok but will prevent future insertion of (r3,x) Likewise insertion of (r3,x) is ok but will prevent future insertion of (y,r3)

© 2005 Ravi Sandhu 27 Edge deletion example

© 2005 Ravi Sandhu 28 Next class Read Jason Crampton and George Loizou. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages Available in ACM digital library through GMU. and come prepared to discuss

© 2005 Ravi Sandhu 29 Assignment 1.Prove or give counterexample An authority range is always a create range? If x is an immediate child of y then (x,y) is a create range? 2.Prove or give counterexample If x is an immediate child of y then (x,y) can always be introduced into can-modify as an authority range that is guaranteed to be encapsulated?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.