1 / 29

Access Control Hierarchies (best viewed in slide show mode)

Access Control Hierarchies (best viewed in slide show mode). Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. RBAC96 Model. ARBAC97. User-Role Assignment: URA97 Permission-Role Assignment: PRA97

darrin
Download Presentation

Access Control Hierarchies (best viewed in slide show mode)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Access Control Hierarchies(best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

  2. RBAC96 Model

  3. ARBAC97 • User-Role Assignment: URA97 • Permission-Role Assignment: PRA97 • Role-Role Assignment: RRA97 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. “The ARBAC97 Model for Role-Based Administration of Roles.” ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages 105-135.

  4. Example Role Hierarchy

  5. Example Administrative Role Hierarchy

  6. Abilities, Groups and UP-Roles

  7. Four operations • Create role • Delete role • Insert edge • Delete edge • Authorized by a single relation can-modify • More complex operations can be built from these • Chief Security Officer can bypass all these controls

  8. can-modify • Authority range must be encapsulated • To be discussed later not a typo

  9. Example Role Hierarchy PSO1 DSO PSO1

  10. Semantics of create role • Specify immediate parent and child • These must be within the can-modify range or be one of the endpoints of the range • Immediate parent must be senior to immediate child • If junior will introduce cycle • If incomparable will introduce a new edge (so introduce the new edge first and then create the new role) • Immediate parent and immediate child must constitute a create range (prior to creation) • To be discussed later

  11. Semantics of delete role • Deletion of a role preserves all transitive edges • Deletion that causes dangling references is prohibited • Prohibit deletion of roles used in can_assign, can_revoke, can_modify OR • Deactivate these roles when they are deleted. Inactive roles cannot be activated in a session and new users and permissions cannot be added. • Preserve permissions and users in a deleted role • Only empty roles can be deleted OR • Users pushed down to immediately junior roles and permissions are pushed up to immediately senior roles

  12. Semantics of insert edge • Edges can be inserted only between incomparable roles • Edge insertion must preserve encapsulation of authority ranges • To be discussed

  13. Semantics of delete edge • Edges can be deleted only if they are not transitively implied • Deleting an edge preserves transitive edges • Some of which will become visible in the Hasse diagram • Cannot delete an edge between the endpoints of an authority range • To be discussed

  14. Edge insertion anomaly PSO1 DSO PSO1

  15. Edge insertion anomaly • Edge insertion by PSO1 in range (E1,PL1) impacts relationship between X and Y outside the PSO1 range

  16. Edge insertion anomaly • Let it happen • Do not allow X and Y to be introduced (by DSO) • Do not allow PSO1 to insert edge from QE1 to PE1

  17. Role Ranges typo

  18. Range Definitions Range Create Range Encapsulated Range Authority Range

  19. Encapsulated Role Ranges typo

  20. Encapsulated Role Ranges • Encapsulated • (E1,PL1) • (E2,PL2) • (ED,DIR) • (E,DIR) • Non-encapsulated • (E,PL1) • (E,PL2) • (E,E1) • (E,E2) PSO1 DSO PSO1

  21. Encapsulated Role Ranges • Encapsulated • (x,y) • (r2,y) • (B,A) • Non-encapsulated • (x’,y’) • (B,y’)

  22. Encapsulated Role Ranges • Encapsulated • (r2,y) • (B,A) • (Non-encapsulated • (x,y) • (x’,y’) • (B,y’)

  23. Create Ranges

  24. Create Ranges A is end point of ARimmediate(x) A is end point of ARimmediate(r3) these are not create ranges B is end point of ARimmediate(y) • Authority ranges • (B,A) • (x,y) • Create ranges • dashed lines ---

  25. Preserving encapsulation on edge insertion

  26. Preserving encapsulation on edge insertion • Insertion of (y,r3) is ok but will prevent future insertion of (r3,x) • Likewise insertion of (r3,x) is ok but will prevent future insertion of (y,r3) • Authority ranges • (B,A) • (x,y)

  27. Edge deletion example

  28. Next class • Read • Jason Crampton and George Loizou. “Administrative scope: A foundation for role-based administrative models.” ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages 201-231. Available in ACM digital library through GMU. • and come prepared to discuss

  29. Assignment • Prove or give counterexample • An authority range is always a create range? • If x is an immediate child of y then (x,y) is a create range? • Prove or give counterexample • If x is an immediate child of y then (x,y) can always be introduced into can-modify as an authority range that is guaranteed to be encapsulated?

More Related