Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

Published bySimon Powell Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012."— Presentation transcript:

1 1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012 ravi.sandhu@utsa.edu www.profsandhu.com www.ics.utsa.edu © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security Joint paper with Xin Jin and Ram Krishnan of UTSA

2  Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  users  subjects  objects  contexts  device, connection, location, environment, system …  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  ordinary users morph into architects and administrators © Ravi Sandhu 2 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)

3  Why another model?  Why now?  Why ABAC?  Why ABACα (unifying DAC, MAC and RBAC)? © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Yet Another Access Control Model!!

4  Dozens of models proposed and studied. Only three winners (meaningful practical traction)  DAC: Discretionary Access Control, 1970  MAC: Mandatory Access Control, 1970  RBAC: Role-Based Access Control, 1995  RBAC emerged at an inflection point due to dissatisfaction with the then dominant DAC and MAC  We are currently at another inflection point due to dissatisfaction with the now dominant RBAC  ABAC (Attribute-Based Access Control) has emerged as the prime candidate to be the next dominant paradigm © Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Status

5  Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 5 World-Leading Research with Real-World Impact! RBAC Overall Assessment

6  X.509, SPKI Attribute Certificates (1999 onwards)  IETF RFCs and drafts  Tightly coupled with PKI (Public-Key Infrastructure)  XACML (2003 onwards)  OASIS standard  Narrowly focused on particular policy combination issues  Fails to accommodate the ANSI-NIST RBAC standard model  Fails to address user subject mapping  Usage Control or UCON (Park-Sandhu 2004)  Fails to address user subject mapping  Focus is on extended features  Mutable attributes  Continuous enforcement  Obligations  Conditions  Several others ……….. © Ravi Sandhu 6 World-Leading Research with Real-World Impact! ABAC Prior Work Includes

7  Why another model?  Why now?  Why ABAC?  Why ABACα (unifying DAC, MAC and RBAC)? © Ravi Sandhu 7 World-Leading Research with Real-World Impact! Yet Another Access Control Model!!

8  DAC: Discretionary Access Control, 1970  Vendors and researchers coping for the first time with multi- user operating systems in different ways  Requirements abstracted from research organizations  MAC: Mandatory Access Control, 1970  Requirements abstracted from established real world pre- computer military and national security policies  RBAC: Role-Based Access Control, 1995  Requirements abstracted from established real world pre- computer policies common to commercial organizations  Vendor implementations of early RBAC-like systems © Ravi Sandhu 8 World-Leading Research with Real-World Impact! How the Dominant Access Control Models got Built How do we build ABAC models?

9 9 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration Initial Focus

10 10 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Role Hierarchy (RH)

11 11 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Role Hierarchy (RH) Security Architect Security Administrator User Security Architect Security Administrator Security Architect

12  An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 12 World-Leading Research with Real-World Impact! ABACα Hypothesis

13 13 World-Leading Research with Real-World Impact! ABACα Requirements © Ravi Sandhu Subject attribute value constrained by creating user ? Object attribute value constrained by creating subject ? Attribute range ordered? Attribute function return set value? Object attribute modification? Subject attribute modification by creating user? DACYES NOYES NO MACYES NO RBAC0YESNANOYESNAYES RBAC1YESNAYES NAYES ABACαYES

14 14 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points

15 15 World-Leading Research with Real-World Impact! Authorization Policy: LAuthorization © Ravi Sandhu  DAC  MAC  RBAC0  RBAC1

16 16 World-Leading Research with Real-World Impact! Subject Attribute Constraints ; LConstrSub © Ravi Sandhu  MAC  RBAC0  RBAC1

17 17 World-Leading Research with Real-World Impact! Object Attribute Constraints © Ravi Sandhu  DAC  MAC  DAC Constraints at creation: LConstrObj Constraints at modification: LConstrObjMod

18 18 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points

Download ppt "1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012."

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
INSTITUTE FOR CYBER SECURITY April 20081 Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY April Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010

1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
1 Attribute Based Access Control and Implementation in Infrastructure as a Service Cloud Dissertation Defense Xin Jin Advisor: Dr. Ravi Sandhu Co-Advisor:

1 Attribute Based Access Control and Implementation in Infrastructure as a Service Cloud Dissertation Defense Xin Jin Advisor: Dr. Ravi Sandhu Co-Advisor:
1 The Future of Access Control: Attributes, Automation and Adaptation Prof. Ravi Sandhu Executive Director and Endowed Chair S&P Symposium IIT Kanpur March.

1 The Future of Access Control: Attributes, Automation and Adaptation Prof. Ravi Sandhu Executive Director and Endowed Chair S&P Symposium IIT Kanpur March.
Future of Access Control: Attributes, Automation, Adaptation

Future of Access Control: Attributes, Automation, Adaptation
1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.

1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015

1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google