Download presentation
Presentation is loading. Please wait.
Published byPierce Ross Modified over 9 years ago
1
Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005
2
Authorization in Trust Management Trust Management System: – Architecture to maintain privacy and security of medical data – Control access within and across domains Authorization – Policy Definition – Policy Enforcement
3
Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Conditional Delegation of Permission
4
Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Conditional Delegation of Permission
5
Role-Based Access Control Physician Nurse Patient Admin Read Medical Record Write Prescription Write Medical Record Read Prescription ⋮ UsersRolesPermissions
6
Hierarchical RBAC Physician Patient Operate ⋮ UsersRolesPermissions Hospital User Orthopedist Surgeon Perform X-Ray Write Prescription Read Prescription Read Demographics
7
Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Conditional Delegation of Permission
8
XACML from XML extension language to specify and enforce authorization policy XACML 2.0 approved Feb 2005 XACML provides: – Standard security policy language – Policy combination – Conditional context-aware access control
9
XACML System Design
10
XML Structure
11
Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Conditional Delegation of Permission
12
XACML Profile for RBAC Draft v2.0 approved Sept. 2004 Contents: – Assigning and Enabling Role Attributes – Core and Hierarchical RBAC implementation – Access Control
13
RBXACML Policies Role Assignment Policy Set – Enables roles for users Permission Policy Set – Associates permissions with roles Role Policy Set – Associates enabled roles with a PPS Three Employee-Manager Examples -
14
Role Assignment Example
15
Manager Permission Example
16
Hierarchical Permission Example
17
RBXACML Takeaways Implementation of RBAC using XACML – Organized into RAPS, PPS, and RPS Shortcomings: – Hierarchy created through PPS references, not at role-level – Lacks of clear role assignment specification – No mention of permission delegation
18
Talk Outline RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML – Attribute-Based Role Assignment – Conditional Delegation of Permission
19
RBXACML Enhancements Goals: – More rigorously define role assignments Assign roles to users based on sets of user attributes – Support delegation Allow control for administrator and delegator over delegated permissions Physician
20
Attribute-Based Role Assignment Original RBAC: ABRA: Physician If subject-id = 5 If holds physician role in highly-trusted remote domain
21
XACML for ABRA Every Role has one RAP RAPS = { RAPs } RAP = { enabling rules }
22
Why Delegation? Delegation: – One giving a portion of its authority to another Motivating examples: – Physician to Physician Attending permissions to a patient while on leave – Physician to Medical Student Permission to read a patient’s record
23
Constraining Delegation Constrain delegation by specifying: – which permissions are delegatable Allow subset to be specified – how permissions can be delegated Delegation condition – Fulfilled by delegator before he can delegate a role Delegatee enabling condition – Fulfilled by delegatee before a role is enabled for him Manifested as rules in a permission policy
24
Physician to Medical Student
25
Summary of Topics RBAC: XACML: authorization policy language RBXACML: combines both technologies Enhancements: – ABRA: roles to user attribute expressions – Conditional Delegation: Delegation Condition Delegatee Enabling Condition Physician Read Prescription Physician If holds physician role in highly-trusted remote domain
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.