Presentation is loading. Please wait.

Presentation is loading. Please wait.

Role-Based Access Control Richard Newman (c) 2012 R. Newman.

Published byWilfred Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Role-Based Access Control Richard Newman (c) 2012 R. Newman."— Presentation transcript:

1 Role-Based Access Control Richard Newman (c) 2012 R. Newman

2 Why RBAC? Ease of administration – Move users in and out of roles – Move access rights in and out of roles – Single admin operation vs. one per object – Very flexible Mental Model – Roles define access – Role captures – function, responsibility, trust, qualifications – Matches intuitive understanding of the “why” of access  Least Privilege  Restricts access according to needs  Separation of duty through constraints  Allows restricting role binding

3 RBAC Models RBAC-1: Flat RBAC – Direct assignment to user with “role” or job function – No hierarchy – Multiple simultaneous active roles per user RBAC-2: Hierarchical RBAC – Hierarchies – Inheritance RBAC-3: Constrained RBAC – (Hierarchy or No hierarchy, depending on model system) – Constraints on role bindings RBAC-4: Symmetric RBAC – Constraints and hierarchies – NIST model

4 RBAC Elements Five elements – User – entity requesting access to object Has no access as user, only in role – Role – package of permissions Assigned to users by association/binding – Permission – grants access to operation on an object – Operation – specific functions depending on object – Object – anything containing information that a user may need to access, or an application a user may need to employ Associations – Many-to-many user-to-role assignment – Many-to-many permission-to-role assignment

5 Role Engineering Design of collection of roles for organization – Positions, organizational structures, job functions – Care required to enforce least privilege – Requires testing Groups defined by roles – Level of indirection – User associates with role, role has permissions – Role changes needed permissions, do once for role – User changes role, do once to remove role association

6 Hierarchy and Inheritance Roles related in hierarchical structure – Subordinate roles inherit rights from roles above – Rights added as role becomes more specific – Allows assignment of users to fewer roles Only most specific roles needed Multiple role associations – Constraints Can preclude assignment of one role if another is assigned – Multiple inheritance specifications

7 Flat RBAC (1) Assignments – Users to roles (many-to-many) – Permissions to roles (many-to-many) – Multiple simultaneous active roles per user Reviews – User-role Which roles are assigned to a user Which users are assigned to a role Rationale – Features of traditional group-based systems – Basic requirements for any RBAC model

8 Hierarchical RBAC (2) All RBAC-1 requirements, plus Hierarchy – Partial order on roles (seniority) – Senior role acquires permissions of its juniors – May be inheritance hierarchy (activation of all junior roles), or activation hierarchy (no activation implied), or both Two sub-levels (continue through higher levels) – a - General Hierarchical RBAC Arbitrary partial order – b - Restricted Hierarchical RBAC Simplified structures only, e.g., trees Rationale – Greatly simplifies administration of permission assignment – Sub-levels recognize existing implementations and potential

9 Constrained RBAC (3) All RBAC-2 requirements, plus Constraints – Enforce separation of duty (SOD) requirements – Reduces fraud, malfeasance – Spreads responsibility and authority for an action over multiple individuals Two types – Static Disallow user-role assignment combinations – Dynamic Disallow U-R combinations on a per-transaction basis Rationale – Support for SOD – Static is easier to test, dynamic is more flexible

10 Symmetric RBAC (4) All RBAC-3 requirements, plus Additional review – User-role assignment (as in Flat RBAC) – Permission-role assignment Which roles have a permission Which permissions are assigned to a role Rationale – May be difficult to implement permission-role assignment efficiently in large-scale systems – Still, considered intrinsic aspect of RBAC by some

11 Sessions User session – Authentication – Process tree/system use Role activation – Automatic (all roles) – Default + activate role – Default + activate/deactivate role – NIST requires that multiple active roles are supported

12 Implementation Issues Scaling – Numbers of users, roles, permissions, associations supported – Review of user-role assignment – Review of permission-role assignment Revocation – Occurs when user or permission removed from role – When enacted? Immediately (even for current operations) Any future operations Any future sessions

Download ppt "Role-Based Access Control Richard Newman (c) 2012 R. Newman."

Similar presentations

RBAC Role-Based Access Control

RBAC Role-Based Access Control
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.

FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
ROLE BASED ACCESS CONTROL MODELS

ROLE BASED ACCESS CONTROL MODELS
Role-Based Access Control CS461/ECE422 Fall 2011.

Role-Based Access Control CS461/ECE422 Fall 2011.
Proposal for Fast-Tracking NIST Role-Based Access Control Standard David Ferraiolo Rick Kuhn National Institute of Standards and Technology Gathersburg,

Proposal for Fast-Tracking NIST Role-Based Access Control Standard David Ferraiolo Rick Kuhn National Institute of Standards and Technology Gathersburg,
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Similar presentations

Ads by Google