Download presentation
Presentation is loading. Please wait.
Published byMelissa Moreno Modified over 11 years ago
1
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
Ravi Sandhu George Mason University and SETA Corporation
2
OUTLINE RBAC96 model: policy neutral
LBAC models: policy full and varied LBAC can be reduced to RBAC96 LBAC < RBAC96 ? why bother to do this?
3
RBAC96 ... ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSION-ROLE
USERS ROLES PERMISSIONS ... SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice
4
HIERARCHICAL ROLES Engineer Hardware Software Supervising
5
RBAC96 ... ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE
USERS ROLES PERMISSIONS ... SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice CONSTRAINTS
6
WHAT IS THE POLICY IN RBAC?
RBAC is policy neutral Role hierarchies facilitate security management Constraints facilitate non-discretionary policies
7
LBAC: LIBERAL *-PROPERTY
+ - H L M1 M2 - + Read Write
8
RBAC96: LIBERAL *-PROPERTY
+ HR LR M1R M2R LW HW M1W M2W - Read Write
9
RBAC96: LIBERAL *-PROPERTY
user xR, user has clearance x user LW, independent of clearance Need constraints session xR iff session xW read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff (O,write) assigned to xW
10
LBAC: STRICT *-PROPERTY
+ H L M1 M2 - Read Write
11
RBAC96: STRICT *-PROPERTY
HR LR M1R M2R M1W LW HW M2W
12
LBAC: WRITE RANGE H L M1 M2 subjects have 2 labels read label
write label
13
RBAC96: WRITE RANGE LIBERAL *-PROPERTY
HR LR M1R M2R LW HW M1W M2W read role ° write role
14
RBAC96: WRITE RANGE STRICT *-PROPERTY
HR LR M1R M2R M1W LW HW M2W read role ° write role
15
LBAC: CONFIDENTIALITY AND INTEGRITY
HS-LI LS-HI HS-HI LS-LI HS LS LI HI two independent lattices one composite lattice
16
RBAC96: CONFIDENTIALITY AND INTEGRITY READ ROLES
HSR-LIR HSR-HIR LSR-LIR LSR-HIR Same for all cases
17
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
LSW-HIW HSW-HIW LSW-LIW HSW-LIW Liberal confidentiality Liberal integrity
18
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
LSW-LIW LSW-HIW HSW-LIW HSW-HIW Strict confidentiality Liberal integrity
19
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
LSW-HIW HSW-HIW LSW-LIW HSW-LIW Strict confidentiality Strict integrity
20
SUMMARY policy-neutral RBAC96 can accommodate policy-full LBAC in all its variations LBAC variations are modeled by adjusting role hierarchy adjusting constraints
21
COVERT CHANNELS are a problem for LBAC remain a problem for RBAC but
they don’t get any worse same techniques can be adapted who cares about them anyway
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.