Presentation is loading. Please wait.

Presentation is loading. Please wait.

Morteza Amini; 2nd Semester 85- 86; Database Security; Sharif Univ. of Tech. Role-Based Access Control Overview user_sessions (RH) Role Hierarchy session_roles.

Published bySamuel Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "Morteza Amini; 2nd Semester 85- 86; Database Security; Sharif Univ. of Tech. Role-Based Access Control Overview user_sessions (RH) Role Hierarchy session_roles."— Presentation transcript:

1 Morteza Amini; 2nd Semester 85- 86; Database Security; Sharif Univ. of Tech. Role-Based Access Control Overview user_sessions (RH) Role Hierarchy session_roles (UA) User Assign- ment (PA) Permission Assignment USERSOBSOPS SESSIONS ROLES PRMS SSDDSD

2 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Objective Compatibility with organizational structures Easy administration Expressiveness: DAC or MAC Principle of least privilege Separation of Duty (SoD)

3 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Access Controls Types Discretionary Access Control Mandatory Access Control Role-Based Access Control

4 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Discretionary AC Name Access Tom Yes John No Cindy Yes Application Access List Restricts access to objects based solely on the identity of users who are trying to access them. Individuals Resources Server 1 Server 3 Server 2 Legacy Apps

5 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Mandatory AC MAC mechanisms assign a security level to all information, assign a security clearance to each user, and ensure that all users only have access to that data for which they have a clearance. Principle: Read Down Access equal or less Clearance Write Up Access equal or higher Clearance

6 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Mandatory AC (cont) Individuals Resources Server 1 “Top Secret” Server 3 “Classified” Server 2 “Secret” SIPRNET Legacy Apps

7 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Role-Based AC A user has access to an object based on the assigned role. Roles are defined based on job functions. Permissions are defined based on job authority and responsibilities within a job function. Operations on an object are invocated based on the permissions. The object is concerned with the user’s role and not the user. “Ideally, the [RBAC] system is clearly defined and agile, making the addition of new applications, roles, and employees as efficient as possible”

8 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Role-Based AC IndividualsRolesResources Role 1 Role 2 Role 3 Server 1 Server 3 Server 2 User’s change frequently, Roles don’t

9 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Privilege Roles are engineered based on the principle of least privileged. A role contains the minimum amount of permissions to instantiate an object. A user is assigned to a role that allows him or her to perform only what’s required for that role. No single role is given more permission than the same role for another user.

10 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Role-Based AC Framework Core Components Constraining Components  Hierarchical RBAC  General  Limited  Separation of Duty Relations  Static  Dynamic

11 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Core Components Defines:  USERS  ROLES  OPERATIONS (ops)  OBJECTS (obs)  User Assignments (ua)  assigned_users

12 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Core Components (cont)  Permissions (prms)  Assigned Permissions  Object Permissions  Operation Permissions  Sessions  User Sessions  Available Session Permissions  Session Roles

13 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Constraint Components Role Hierarchies (rh)  General  Limited Separation of Duties  Static  Dynamic

14 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. RBAC Transition ModelsHierarchiesConstraints RBAC 0 No RBAC 1 YesNo RBAC 2 NoYes RBAC 3 Yes Most Complex Least Privileged Separation of Duties RBAC Model Effort RBAC 3

15 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. RBAC System and Administrative Functional Specification Administrative Operations  Create, Delete, Maintain elements and relations System Level Functions  Creation of user sessions  Role activation/deactivation  Constraint enforcement  Access Decision Calculation

16 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Core RBAC user_sessionssession_roles (UA) User Assign- ment (PA) Permission Assignment USERSOBSOPS SESSIONS ROLES PRMS

17 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. USERS Proces s Person Intelligent Agent

18 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. ROLES Developer Budget Manager Help Desk Representative An organizational job function with a clear definition of inherent responsibility and authority (permissions). Director

19 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. OPS (operations) An execution of an a program specific function that’s invocated by a user. Database – Update Insert Append Delete Locks – Open Close Reports – Create View Print Applications - Read Write Execute SQL

20 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. OBS (objects) An entity that contains or receives information, or has exhaustible system resources. OS Files or Directories DB Columns, Rows, Tables, or Views Printer Disk Space Lock Mechanisms RBAC will deal with all the objects listed in the permissions assigned to roles.

21 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. UA (user assignment) A user can be assigned to one or more roles Developer USERS set ROLES set Help Desk Rep A role can be assigned to one or more users

22 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. UA (user assignment) Mapping of role r onto a set of users User.DB1 View Update Append USERS set ROLES set User.DB1 permissionsobject User.F1 User.F2 User.F3

23 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. PRMS (permissions) The set of permissions that each grant the approval to perform an operation on a protected object. User.DB1 View Update Append permissionsobject User.F1 Read Write Execute permissionsobject

24 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. PA (prms assignment) A prms can be assigned to one or more roles Admin.DB1 PRMS set ROLES set A role can be assigned to one or more prms User.DB1 View Update Append Create Delete Drop

25 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. PA (prms assignment) PRMS setROLES set User.F1 User.F2 User.F3 Admin.DB1 Mapping of role r onto a set of permissions Read Write Execute View Update Append Create Drop SQL

26 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SESSIONS The set of sessions that each user invokes. USER guest user admin invokes SQL DB1.table1 FIN1.report1 APP1.desktop SESSION

27 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SESSIONS The mapping of user u onto a set of sessions. USERS guest user admin invokes SQL User2.DB1.table1.session User2.FIN1.report1.session User2.APP1.desktop.session SESSION USER2 USER1

28 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SESSIONS The mapping of session s onto a set of roles SESSIONROLES Admin User Guest SQL DB1.table1.session

29 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SESSIONS Permissions available to a user in a session. DB1.ADMIN View Update Append Create Drop SQL DB1.table1.session PRMSROLESESSION

30 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Hierarchal RBAC user_sessions (RH) Role Hierarchy session_roles (UA) User Assign- ment (PA) Permission Assignment USERSOBSOPS SESSIONS ROLES PRMS

31 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Tree Hierarchies Production Engineer 1 Quality Engineer 1 Engineering Dept Production Engineer 2 Quality Engineer 2 Production Engineer 1 Project Lead 1 Quality Engineer 1 Director Production Engineer 2 Project Lead 2 Quality Engineer 2

32 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Lattice Hierarchy Production Engineer 1 Quality Engineer 1 Engineering Dept Production Engineer 2 Quality Engineer 2 Project Lead 1 Director Project Lead 2

33 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. RH (Role Hierarchies) Natural means of structuring roles to reflect organizational lines of authority and responsibilities General and Limited Define the inheritance relation among roles i.e. r 1 inherits r 2 User r-w-h Guest -r-

34 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. General RH User r-w-h Guest -r- Only if all permissions of r 1 are also permissions of r 2 Only if all users of r 1 are also users of r 2 i.e. r1 inherits r2 Guest Role Set Power User Role Set User Role Set Admin Role Set Support Multiple Inheritance

35 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. authorized users Mapping of a role onto a set of users in the presence of a role hierarchy User.DB1 View Update Append First Tier USERS set ROLES set User.DB1 permissionsobject Admin.DB1 User.DB2 User.DB3

36 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. authorized permissions Mapping of a role onto a set of permissions in the presence of a role hierarchy PRMS setROLES set User.DB1 User.DB2 User.DB3 Admin.DB1 View Update Append Create Drop SQL

37 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Limited RH A restriction on the immediate descendants of the general role hierarchy Role1 Role2 Role3 Role2 inherits from Role1 Role3 does not inherit from Role1 or Role2

38 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Limited RH (cont) Tom AcctRec AcctRecSpv Accounting Tammy Cashier CashierSpv Fred Sally Auditing Joe Frank Billing BillingSpv CurtTuan Accounting Role Notice that Frank has two roles: Billing and Cashier

39 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Constrained RBAC user_sessions (RH) Role Hierarchy session_roles (UA) User Assign- ment (PA) Permission Assignment USERSOBSOPS SESSIONS ROLES PRMS SSD DSD

40 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Separation of Duties Enforces conflict of interest policies employed to prevent users from exceeding a reasonable level of authority for their position. Ensures that failures of omission or commission within an organization can be caused only as a result of collusion among individuals. Two Types:  Static Separation of Duties (SSD)  Dynamic Separation of Duties (DSD)

41 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SSD (SMER) SSD places restrictions on the set of roles and in particular on their ability to form UA relations. No user is assigned to n or more roles from the same role set, where n or more roles conflict with each other. A user may be in one role, but not in another—mutually exclusive. Prevents a person from submitting and approving their own request.

42 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SSD in Presence of RH A constraint on the authorized users of the roles that have an SSD relation. Based on the authorized users rather than assigned users. Ensures that inheritance does not undermine SSD policies. Reduce the number of potential permissions that can be made available to a user by placing constraints on the users that can be assigned to a set of roles.

43 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. DSD (DMER) These constraints limit the number of roles a user can activate in a single session Examples of constraints:  No user may activate t or more roles from the roles set in each user session.  If a user has used role r1 in a session, he/she cannot use role r2 in the same session Enforcement of these roles requires keeping the history of the user access to roles within a session

44 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Constraint RBAC Prepare check Approve/ Disapprove check Summarize decisions Issue/avoid check Static SoD (SSD) Dynamic SOD (DSD)

45 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. Other Types of Constraints At least n users are required to have all k permissions. ( {p 1,p 2,…,p k }, n ) Enforcement  Static Enforcement  Dynamic Enforcement

46 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. SoD Example Purchase Process 1)Order goods and record details of order 2)Receive invoice and check against order 3)Receive goods and check against invoice 4)Authorize payment against invoice A set of SoD requirements:  ssd: No user performs (1) and (3).  At least 3 users to perform all 4 steps

47 Morteza Amini; 2nd Semester 85-86; Database Security; Sharif Univ. of Tech. QUESTIONS …COMMENTS??

Download ppt "Morteza Amini; 2nd Semester 85- 86; Database Security; Sharif Univ. of Tech. Role-Based Access Control Overview user_sessions (RH) Role Hierarchy session_roles."

Similar presentations

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Role-Based Access Control

Role-Based Access Control
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
ROLE BASED ACCESS CONTROL MODELS

ROLE BASED ACCESS CONTROL MODELS
Role-Based Access Control CS461/ECE422 Fall 2011.

Role-Based Access Control CS461/ECE422 Fall 2011.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Some slides were taken from 463.5.1 Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.

Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Secure Information Sharing. Role-Based Access Control USERSROLES SESSIONS OPSOBS PRMS session_rolesuser_session User Assignment (UA) Permission Assignment.

Secure Information Sharing. Role-Based Access Control USERSROLES SESSIONS OPSOBS PRMS session_rolesuser_session User Assignment (UA) Permission Assignment.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
User Domain Policies.

User Domain Policies.

Similar presentations

Ads by Google