Download presentation
Presentation is loading. Please wait.
Published byJose Hill Modified over 11 years ago
1
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project Members at Seta: Ed Coyne, Charles Youman
2
2 RBAC An alternative to classical MAC and DAC Substantial history and tradition Often used to separate administrative functions Operator Auditor Security Officer User Extend this concept into application domain
3
3 INTERACTION OF RBAC, MAC AND DAC RBAC MACDAC permitted accesses
4
4 POLICY VERSUS MECHANISM Roles are a policy concept Several mechanisms can be used to implement roles Roles Groups Compartments Some mechanisms are better suited than others
5
5 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES
6
6 USERS Users are human beings Each individual should be known as exactly one user
7
7 PRIVILEGES Primitive privileges read, write, append, execute Abstract privileges credit, debit, inquiry Generic privileges auditor
8
8 RBAC ROLE USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT USERSPRIVILEGES ROLE HIERARCHIES
9
9 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician
10
10 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer
11
11 RBAC ROLEUSERSPRIVILEGES ROLE HIERARCHIES CONSTRAINTS USER-ROLE ASSIGNMENT PRIVILEGE-ROLE ASSIGNMENT
12
12 CONSTRAINTS Mutually Exclusive Roles Static Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context Prerequisite Roles A user must belong to one or more prerequisite roles in order to qualify for possible membership in some other role
13
13 SCALE Hundreds of roles User-role assignment will change frequently Privilege-role assignment will change frequently Role hierarchy will change occasionally
14
14 RBAC SUMMARY RBAC is a sophisticated and multi-dimensional concept Different products will support variations of RBAC (even if standards emerge)
15
15 ANSI/SPARC DATABASE ARCHITECTURE Community View Implementation View External View External View External View
16
16 RBAC ARCHITECTURE Community View Implementation View External View External View External View Implementation View Implementation View
17
17 TOP TWO TIERS Community View External View External View ELIMINATION REFINEMENT
18
18 EXAMPLE REFINEMENT ELIMINATION ROLE HIERARCHY
19
19 REFINEMENT Implementation View Implementation View BOTTOM TWO TIERS Community View ELIMINATION
20
20 IMPLICIT MECHANISM Implementation View Implementation View BOTTOM TWO TIERS Community View EXPLICIT MECHANISM
21
21 IMPLICIT USER ASSIGNMENT USER ROLE HIERARCHY implicit assignments explicit assignment
22
22 EXPLICIT USER ASSIGNMENT USER NO ROLE HIERARCHY explicit assignments explicit assignment
23
23 CONCLUSION Further work is ongoing on RBAC model RBAC architecture Preliminary results are promising
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.