Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.

Published byElijah Kirk Modified over 11 years ago

Similar presentations

Presentation on theme: "ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu."— Presentation transcript:

1 ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu is also affiliated with George Mason University, Fairfax, VA

2 2 RBAC An alternative to classical MAC and DAC Substantial history and tradition Often used to separate administrative functions Extend this concept into application domain

3 3 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES

4 4 Primitive privileges read, write, append, execute Abstract privileges credit, debit, inquiry Generic privileges auditor

5 5 USERS Users are human beings Each individual should be known as exactly one user

6 6 POLICY VERSUS MECHANISM Roles are a policy concept Several mechanisms can be used to implement roles Roles Groups Compartments Some mechanisms are better suited than others

7 7 WHAT IS THE POLICY IN RBAC? There is no information flow policy RBAC is a framework to help in articulating policy The main point of RBAC is to facilitate security management

8 8 INTERACTION OF RBAC, MAC AND DAC RBAC MACDAC permitted accesses

9 9 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES

10 10 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES ROLE HIERARCHIES

11 11 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

12 12 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

13 13 SCOPED INHERITANCE Department Head Project 1 ManagerProject 2 Manager Department Public Project 1 PublicProject 2 Public Project 1 Programmers Project 1 Testing Project 2 Programmers Project 2 Testing

14 14 RBAC ROLEUSERSPRIVILEGES ROLE HIERARCHIES CONSTRAINTS USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT

15 15 CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context

16 16 CONSTRAINTS Mutually Exclusive Privileges Static Exclusion: The same role should never be assigned both privileges Dynamic Exclusion: The same role can never hold both privileges in the same context

17 17 CONSTRAINTS Cardinality Constraints on User-Role Assignment At most k users can belong to the role At least k users must belong to the role Exactly k users must belong to the role Cardinality Constraints on Privilege-Role Assignment At most k roles can get the privilege At least k roles must get the privilege Exactly k roles must get the privilege

18 18 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES ROLE HIERARCHIES

19 19 SCALE Hundreds of roles User-role assignment will change frequently Privilege-role assignment will change frequently Role hierarchy will change occasionally

20 20 RBAC SUMMARY RBAC is a sophisticated and multi-dimensional concept Different products will support variations of RBAC (even if standards emerge)

21 21 BELL-LAPADULA AND RBAC Can BLP be practically and conveniently done in RBAC? YES

22 22 IS RBAC A PANACEA? NO

Download ppt "ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
George Mason University

George Mason University
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
Institute for Cyber Security

Institute for Cyber Security
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.

1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS

ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.

ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.

Similar presentations

Ads by Google