Role based access control on the web
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

ROLE-BASED ACCESS CONTROL ON THE WEB PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

ROLE-BASED ACCESS CONTROL ON THE WEB. LI LINGTAO OCT 14 ,2003. CONTENT. BACKGROUND (MAC, DAC) Role-Based Access Control Implementation of the RBAC on the Web. Mandatory Access Control (MAC).

Download Presentation

ROLE-BASED ACCESS CONTROL ON THE WEB

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Role based access control on the web

ROLE-BASED ACCESS CONTROL ON THE WEB

LI LINGTAO

OCT 14 ,2003


Content

CONTENT

  • BACKGROUND (MAC, DAC)

  • Role-Based Access Control

  • Implementation of the RBAC on the Web


Mandatory access control mac

Mandatory Access Control (MAC)

MAC ,as defined in the Department of Defense Trusted Computer System Evaluation Criteria, is “A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects to access information of such sensitivity.”


Discretionary access control dac

Discretionary Access Control (DAC)

  • Capabilities

  • Profiles

  • Passwords

  • Protection Bits (UNIX)

  • Access Control List (ACL)

    e.g.

    file A: (Alice, {r, w}), (Bob, {r}), (Dept {w})


Role based access control rbac

Role-Based Access Control (RBAC)

  • With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.


Rbac model

RBAC Model

  • Users are associated with role(s) ,e.g.,

    Jacky: doctor.

  • Roles are associated with privileged operation(s), e.g., doctor: prescribe_drugs, order_tests

  • A user has access to a privilegedoperation only if the user has an authorized role which is associated with that privileged operation.


Rbac model1

RBAC MODEL

Role Hierarchy

Users

Roles

Privileges


Rbac model role relationships

RBAC Model :Role Relationships

  • Roles may be related hierarchically, e.g.,

    surgeon doctor.

  • Roles may have conflict of interest relationships :

    -- Static Separation of Duties (SSD), e.g., comptroller and auditor cannot be authorized for the same user.

    --Dynamic Separation of Duties (DSD), e.g., teller and account_holder can be authorized for the same user but cannot both be active.

  • The number of users authorized for a given role may be limited by the cardinality of that role ,e.g., president has cardinality one.


Role relationships example bank

Role Relationships Example :Bank

Financial_advisor

Teller

Account_rep

Branch_manager

Internal_auditor

Invited_guest

employee

Account_holder

visitor


Rbac on the www

RBAC on the WWW

Problem:

Administrators view organizations in terms of individuals and their roles.

Access to the WWW is enforced by group and access control list (ACL) mechanisms.

Administrators must map their organizational view to these mechanisms.


Rbac on the www1

RBAC on the WWW

Solution: role based access control

  • Access based on user’s organizational role , e.g., doctor, nurse ,bank teller

  • Higher level of abstraction compared to commonly used access control mechanisms , e.g., MLS

  • An administrator’s organizational view IS the access control mechanism.

  • => RBAC valuable for “intra-net” enterprise use of WWW


Security administration with rbac

Security Administration with RBAC

  • For each role :assign privileges operations, e.g., Doctor: prescribe_drugs ,order_tests

  • To give privileges to a user :assign role(s) to user , e.g., Mike: broker, manager, cheat.

  • To remove a user’s privileges : remove role(s) from user, e.g., Mike: cheat


Goals for rbac on the www

Goals for RBAC on the WWW

  • Implementation of RBAC on the WWW (RBAC/Web).

  • RBAC conformance test assertions, i.e., abstract test suite.

  • Testing software to validate RBAC/Web conformance to test assertions.


Rbac web implementation

RBAC/Web Implementation

  • Uses existing WWW technology.

  • Can be used with any browser.

  • Can be used with any authentication mechanism, e.g., SSL, SHTTP, PCT.

  • Privileged operations are HTTP methods, e.g., GET, POST, PUT.

  • Available for Unix (e.g., Netscape, Apache) and Windows NT (e.g., IIS, Website)


Rbac web component

RBAC/Web Component

  • Unix & NT: Database Definition

    Admin Tool

    Database Server

    Session Manager

  • Unix Only: API Library

    CGI


Rbac web database definition

RBAC/Web Database Definition

Data sets which specify:

  • Association between users and their roles.

  • Role hierarchy.

  • SSD relationships.

  • DSD relationships.

  • ARSs( active role sets)

  • Association between WWW server files, HTTP methods ,and roles.


Rbac web admin tool

RBAC/Web Admin Tool

  • Accessed by means of a WWW browser.

  • Creates users and roles .

  • Associates users with roles and roles with HTTP methods applies to files .

  • Specifies roles relationships, i.e., hierarchy, SSD, DSD.


Rbac web database server

RBAC/Web Database Server

  • Hosts the authoritative copies of the data sets defining users ,roles ,and role relationships.

  • Notifies WWW servers to update their cached of these data sets when authoritative copies change.


Rbac web session manager

RBAC/Web Session Manager

  • Manages the RBAC Session.

  • Creates and removes users’ active role sets.


Rbac web api library

RBAC/Web API Library

  • C and Perl Library

  • Used by WWW servers and CGIs to access the RBAC/Web Database .

  • Some WWW servers ,e.g., Netscape ,Apache, need not be recompiled.


Rbac web cgi

RBAC/Web CGI

  • Implements RBAC on the WWW as a CGI.

  • Existing WWW servers need not be modified.


Rbac web use

RBAC/Web Use

establish RBAC session

web server

present ARS choices

browser

choose ARS

RBAC

Database

(cached)

Session established

user

URL

response


References

References

  • J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based Access Control for the World Wide Web" , 20th National Computer Security Conference (1997)

  • J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "Role-Based Access Control for the Web" , CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998).


  • Login