Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFS 767 Fall 2003 Administrative RBAC

Published byDylan Donovan Modified over 11 years ago

Similar presentations

Presentation on theme: "INFS 767 Fall 2003 Administrative RBAC"— Presentation transcript:

1 INFS 767 Fall 2003 Administrative RBAC
ARBAC97 Prof. Ravi Sandhu

2 SCALE AND RATE OF CHANGE
roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to user-role assignment permission-role assignment Less frequent changes for role hierarchy

3 ADMINISTRATIVE RBAC ... ROLES PERMISSIONS USERS CAN- MANAGE ADMIN
This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice

4 ARBAC97 DECENTRALIZES user-role assignment (URA97)
permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)

5 ADMINISTRATIVE RBAC RBAC2 RBAC1 RBAC0 RBAC3 ARBAC2 ARBAC1 ARBAC0

6 EXAMPLE ROLE HIERARCHY
Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E)

7 EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

8 URA97 GRANT MODEL: can-assign
ARole Prereq Role Role Range PSO1 ED [E1,PL1) PSO2 ED [E2,PL2) DSO ED (ED,DIR) SSO E [ED,ED] SSO ED (ED,DIR]

9 URA97 GRANT MODEL : can-assign
ARole Prereq Cond Role Range PSO1 ED [E1,E1] PSO1 ED & ¬ P1 [Q1,Q1] PSO1 ED & ¬ Q1 [P1,P1] PSO2 ED [E2,E2] PSO2 ED & ¬ P2 [Q2,Q2] PSO2 ED & ¬ Q2 [P2,P2]

10 URA97 GRANT MODEL “redundant” assignments to senior and junior roles
are allowed are useful

11 URA97 REVOKE MODEL WEAK REVOCATION
revokes explicit membership in a role independent of who did the assignment

12 URA97 REVOKE MODEL STRONG REVOCATION
revokes explicit membership in a role and its seniors authorized only if corresponding weak revokes are authorized alternatives all-or-nothing revoke within range

13 URA97 REVOKE MODEL : can-revoke
ARole Role Range PSO1 [E1,PL1) PSO2 [E2,PL2) DSO (ED,DIR) SSO [ED,DIR]

14 PERMISSION-ROLE ASSIGNMENT
dual of user-role assignment can-assign-permission can-revoke-permission weak revoke strong revoke (propagates down)

15 PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION
ARole Prereq Cond Role Range PSO1 PL1 [E1,PL1) PSO2 PL2 [E2,PL2) DSO E1  E2 [ED,ED] SSO PL1  PL2 [ED,ED] SSO ED [E,E]

16 PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION
ARole Role Range PSO1 [E1,PL1] PSO2 [E2,PL2] DSO (ED,DIR) SSO [ED,DIR]

17 ARBAC97 DECENTRALIZES user-role assignment (URA97)
permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97) abilities or permission-only roles (extend PRA97) UP-roles or user-and-permission roles (RRA97)

18 Range Definitions Range Create Range Encap. Range Authority Range

19 Authority Range Range: Authority Range: Partial Overlap of Ranges:
(x, y) = {r : Roles | x < r < y} Authority Range: A range referenced in can-modify relation Partial Overlap of Ranges: The ranges Y and Y’ partially overlap if Y Ç Y’ ¹ f and Y Ë Y’ Ù Y’ Ë Y Partial Overlap of Authority Ranges is forbidden

20 Authority Range Encapsulated Authority Range:
The authority range (x, y) is said to be encapsulated if "r1 Î (x, y) and "r2 Ï (x, y) r2 > r1 Û r2 > y Ù r2 < r1 Û r2 < x

21 Non-encapsulated Range (x, y)

22 Encapsulated Range (x, y)

23 Encapsulated Range (x, y)

24 ROLE CREATION New roles are created one at a time
Creation of a role requires specification of immediate parent and child immediate parent and child must be a create range

25 Role Creation Create Range: The range (x, y) is a create range if
(a) ARimmediate(x) = ARimmediate(y) Ú (b) x = End point of ARimmediate(y) Ú (c) y = End point of ARimmediate(x) Note: only comparable roles constitute a create range.

26 Create Range A Authority ranges: (x, y) and (B, A) y y‘ r1 r2 r4 r3 x

27 Role Deletion Roles in the authority range can be deleted by administrator of that range. End points of authority ranges cannot be deleted.

28 Inactive Roles End points of authority ranges can be made inactive.
A user associated to it cannot use it. Inheritance of permissions is not affected. Permissions and users can be revoked.

29 Other Restrictions on deletion of roles
Roles can be deleted only when they are empty. Delete the role and at the same time: assign permissions to immediate senior roles. Assign the users to immediate junior roles.

30 INSERTION OF AN EDGE Inserted only between incomparable roles (No Cycles) Inserted one at a time. The edge AB is inserted if (a) ARimmediate(A) = ARimmediate(B) and (b) For a junior authority range (x, y): (A = y Ù B > x) or (B = x Ù A < y) must ensure encapsulation of (x, y).

31 DELETION OF AN EDGE Deleted one at a time.
The edges in transitive reduction are candidates for deletion. Edges connecting the end points of an authority range cannot be deleted. Implied edges are not deleted

32 Example : Before deletion (SQE1, JQE1)
DIR PL2 PL1 SQE1 PE1 PE2 QE2 JQE1 E2 E1 ED

33 Example : After deletion (SQE1, JQE1)
DIR PL2 PL1 SQE1 PE1 PE2 QE2 JQE1 E2 E1 ED

34 Conclusion RRA97 completes ARBAC97
RRA97 provides decentralized administration of role hierarchies. Gives administrative role autonomy within a range but only so far as the side effects of the resulting actions are acceptable.

Download ppt "INFS 767 Fall 2003 Administrative RBAC"

Similar presentations

Chapter 5 Deadlocks. Contents What is deadlock? What is deadlock? Characterization Characterization Resource allocation graph Resource allocation graph.

Chapter 5 Deadlocks. Contents What is deadlock? What is deadlock? Characterization Characterization Resource allocation graph Resource allocation graph.
RBAC Role-Based Access Control

RBAC Role-Based Access Control
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
Role Based Access Control

Role Based Access Control
Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair

Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,

SACMAT 03© Mohammad Al-Kahtani1 Induced Role Hierarchies with Attribute-Based RBAC Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security,
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
© 2004 Ravi Sandhu www.list.gmu.edu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.

1 SACMAT 2002 © Oh and Sandhu 2002 A Model for Role Administration Using Organization Structure Sejong Oh Ravi Sandhu * George Mason University.
ARBAC99 (Model for Administration of Roles)

ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
How to do Discretionary Access Control Using Roles Ravi Sandhu Qamar Munawer.

How to do Discretionary Access Control Using Roles Ravi Sandhu Qamar Munawer.

Similar presentations

Ads by Google