Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARBAC99 (Model for Administration of Roles)

Published byEric Bryant Modified over 10 years ago

Similar presentations

Presentation on theme: "ARBAC99 (Model for Administration of Roles)"— Presentation transcript:

1 ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Qamar Munawer George Mason University Laboratory for Information Security Technology

2 RBAC96 (simplified) ROLE HIERARCHIES USER-ROLE ASSIGNMENT
PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

3 ARBAC97 DECENTRALIZES user-role assignment (URA97)
permission-role assignment (PRA97) role-role hierarchy (RRA99)

4 ARBAC99 EXTENDS ARBAC97 URA99 PRA99 RRA99
mobile and immobile membership prerequisite-based revocation PRA99 dual of URA99 RRA99 no change

5 EXAMPLE ROLE HIERARCHY
Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

6 EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

7 Motivation for ARBAC99 URA97 consequences
Users can use permissions of the role and junior roles. User become eligible for assignment to other roles.

8 Motivation for ARBAC99 Examples that require decomposition of these two aspects: trainee visitor consultant

9 New Concepts in URA99 Mobile Users: Immobile Users:
user ‘u’ can use permissions of role x and administrative role can use this membership to put user ‘u’ in another role. Immobile Users: user ‘u’ can use permissions of role x but administrative role cannot use this membership to put user ‘u’ in another role.

10 URA99 Model Builds upon the concept of mobile and immobile membership of users. To formalize this we consider a role x as consisting of two sub-roles Mx and IMx. The membership in Mx in mobile where as in IMx is immobile.

11 Role in URA99 Definition: For a given set of roles R1 we define a role in URA99 as R = {Mx, IMx | x Î R1}

12 User Memberships in URA99
There are four kinds of user-role memberships in URA99. Explicit Mobile Member EMx u Î (u, Mx) Î UA Explicit Immobile Member EIMx u Î (u, IMx) Î UA Implicit Mobile Member ImMx u Î ( $x’ > x) (u, Mx’) Î UA Implicit Immobile Member ImIMx u Î ( $x’ > x) (u, IMx’) Î UA

13 Precedence Rule in URA99 URA99 allows a user to have all four kinds of memberships in a role at the same time. only one will be effective by the following strict precedence rule EMx > EIMx > ImMx > ImIMx

14 Inheritance of Mobility and Immobility
X2 X3 X1 X1 X3 X2 X1 X2 Divergent Multiple Single

15 Prerequisite condition for URA99 Grant Model
URA97 prerequisite condition is quite straight forward. In URA99 it is evaluated for a user u by interpreting x to be true if u Î EMx Ú ( u Î ImMx Ù u Ï EIMx) and Øx to be true if u ÏEMx Ù uÏEIMx Ù uÏImMx Ù uÏImIMx

16 Can-assign relations for URA99 Grant Model
Assignment as Mobile membership is authorized by can-assign-M Í AR ´ CR ´ 2R Assignment as Immobile membership is authorized by can-assign-IM Í AR ´ CR ´ 2R

17 EXAMPLE ROLE HIERARCHY
Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

18 EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

19 Can-assign-M

20 Can-assign-IM

21 URA99 Grant Model authorizations
no implication in general that authority to grant mobile membership implies authority to grant immobile memberships.

22 URA99 - Revoke Model URA99 revoke model fixes a lack of symmetry between grant and revoke models. It deals with revocation of mobile and immobile memberships. URA99 introduces two relations to authorize revocation.

23 Can-revoke relations for URA99 Revoke Model
Revocation as Mobile membership is authorized by can-revoke-M Í AR ´ CR ´ 2R Revocation as Immobile membership is authorized by can-revoke-IM Í AR ´ CR ´ 2R

24 Can-revoke-M

25 Can-revoke-IM

26 Prerequisite condition for URA99 - Revoke Model
For revoke model we do not distinguish the mobile and immobile memberships We interpret x to be true iff u Î EMx Ú u Î ImMx Ú u Î IMx Ú u Î ImIMx and Øx to be true iff u Ï Emx Ù u Ï EIMx Ù u Ï ImMx Ù u Ï ImIMx

27 Relation between URA97 and URA99
If all users are restricted to be mobile then URA99 is identical with URA97. This can be achieved by setting can-assign-IM and can-revoke-IM to be empty.

28 PRA99 - Model Like user, permissions can also be assigned to roles as mobile and immobile. PRA99 is exact dual of URA99. In PRA99 the implicit permission is inherited upwards in the hierarchy.

29 Conclusion ARBAC99 is first model that incorporates mobile and immobile users and permissions Basic intuition of ARBAC97 is not altered It is a useful extension to ARBAC97

Download ppt "ARBAC99 (Model for Administration of Roles)"

Similar presentations

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Role Based Access Control

Role Based Access Control
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.

1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.

ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.

An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
© 2004 Ravi Sandhu www.list.gmu.edu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.

© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.

A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.

Similar presentations

Ads by Google