1 / 34

ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC). Ravi Sandhu Venkata Bhamidipati Ed Coyne Srinivas Ganta Qamar Munawer Charles Youman. ARBAC97 DECENTRALIZES. user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy groups or user-only roles (extend URA97)

dwentz
Download Presentation

ARBAC 97 (ADMINISTRATIVE RBAC)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ARBAC 97 (ADMINISTRATIVE RBAC) Ravi Sandhu Venkata Bhamidipati Ed Coyne Srinivas Ganta Qamar Munawer Charles Youman

  2. ARBAC97 DECENTRALIZES • user-role assignment (URA97) • permission-role assignment (PRA97) • role-role hierarchy • groups or user-only roles (extend URA97) • abilities or permission-only roles (extend PRA97) • UP-roles or user-and-permission roles (RRA97)

  3. ... ADMINISTRATIVE RBAC ROLES PERMISSIONS USERS CAN- MANAGE ADMIN ROLES ADMIN PERMISSIONS

  4. RBAC3 ARBAC3 RBAC1 RBAC2 ARBAC1 ARBAC2 RBAC0 ARBAC0 ADMINISTRATIVE RBAC

  5. EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)

  6. EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

  7. USER-ROLE ASSIGNMENTCAN-ASSIGN-USER ARole Prereq Role Role Range PSO1 ED [E1,PL1) PSO2 ED [E2,PL2) DSO ED (ED,DIR) SSO E [ED,ED] SSO ED (ED,DIR]

  8. USER-ROLE ASSIGNMENT CAN-ASSIGN-USER ARole Prereq Cond Role Range PSO1 ED [E1,E1] PSO1 ED & ¬ P1 [Q1,Q1] PSO1 ED & ¬ Q1 [P1,P1] PSO2 ED [E2,E2] PSO2 ED & ¬ P2 [Q2,Q2] PSO2 ED & ¬ Q2 [P2,P2]

  9. USER-ROLE ASSIGNMENT CAN-REVOKE-USER ARole Role Range PSO1 [E1,PL1) PSO2 [E2,PL2) DSO (ED,DIR) SSO [ED,DIR]

  10. USER-ROLE ASSIGNMENT REVOCATION • WEAK REVOCATION • revokes explicit membership only • STRONG REVOCATION • revokes explicit and implicit membership • revocation propagates upwards to senior roles • defined in terms of weak revoke

  11. PERMISSION-ROLE ASSIGNMENT • dual of user-role assignment • can-assign-permission can-revoke-permission • weak revoke strong revoke (propagates down)

  12. PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION ARole Prereq Cond Role Range PSO1 PL1 [E1,PL1) PSO2 PL2 [E2,PL2) DSO E1  E2 [ED,ED] SSO PL1  PL2 [ED,ED] SSO ED [E,E]

  13. PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION ARole Role Range PSO1 [E1,PL1] PSO2 [E2,PL2] DSO (ED,DIR) SSO [ED,DIR]

  14. RRA97 UP-roles Users and Permissions Group roles Users only Ability roles Permissions only Extended URA97 RRA97 Extended PRA97

  15. RRA97 • OBJECTIVE • Decentralization of role-role relationships • Administrative role autonomy within a range. • Encapsulation of authority Ranges.

  16. EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)

  17. Range Hierarchy Range Create Range Encap. Range Authority Range

  18. RRA97 - Definitions • Range: • (x, y) = {r : Roles | x < r < y} • Authority Range: • A range referenced in can-modify relation • Junior Authority range: • The range (x, y) is junior to range (x’, y’) if ( x  x’  y’  y)  ( x > x’  y’ > y) • The range (x’, y’) is a senior range

  19. RRA97 - Definitions • Partial Overlap of Ranges: • The ranges Y and Y’ partially overlap if • Y  Y’  and • Y  Y’  Y’  Y

  20. RRA97 - Definitions • Encapsulated Authority Range: • The authority range (x, y) is said to be encapsulated if • r1  (x, y) and r2  (x, y) • r2 > r1  r2 > y  • r2 < r1  x < r2

  21. Encapsulated Range (x, y) y y‘ r1 r2 r4 r3 x x’

  22. Non-encapsulated Range (x, y) y y‘ r1 r2 r4 r3 x x’

  23. RRA97 - Definitions • Set of Authority Ranges: • {x, y : roles | (x, y) is an authority range} • Immediate Authority Range of role r: • The authority range (x, y) is immediate authority range of role r  (x, y) if • (x’, y’)  set of AR | (x’, y’)  (x, y)  r  (x’, y’)

  24. RRA97 - Definitions • Create Range: • The range (x, y) is a create range if • (a) ARimmediate(x) = ARimmediate(y)  • (b) x = End point of ARimmediate(y)  • (c) y = End point of ARimmediate(x) • Immediate Senior roles: • r1 > immediate r2 if • r’  roles  r’ > r2 ( r’  r1)

  25. Create Range A y y‘ r1 r2 r4 r3 x x’ B

  26. RRA97 - Definitions • Immediate Junior Roles: • r1 < immediate r2 • r’  roles  r’ > r1 ( r’ < r2) • Inactive Roles: • A user associated to it cannot use it. • Inheritance of permissions is not affected. • Permissions and users can be revoked.

  27. INSERT ROLE • Role is inserted one at a time. • Roles can be inserted only in create range. • Create-role(r, (x, y)) inserts a role r in create range (x, y) such that it is junior to y and senior to x.

  28. Example: Create-role(r, (r1, r2)) y r1 r r2 x

  29. DELETE ROLE • Roles referred in can-assign,can-revoke and can-modify cannot be deleted. • Roles can be deleted only if they are empty.

  30. DELETE ROLE (Continued) • RELAXATIONS: • Roles referred in can-assign,can-revoke and can-modify can be made inactive. • Role is deleted only after its permissions are assigned to immediate senior and users to immediate junior roles.

  31. INSERTION OF AN EDGE • Implied edges are not considered. • Inserted only between incomparable roles (No Cycles) • Inserted one at a time. • The edge AB is inserted if • (a) ARimmediate(A) = ARimmediate(B) and • (b) For a junior authority range (x, y): • (A = y  B > x) or (B = x  A < y) must ensure encapsulation of (x, y).

  32. DELETION OF AN EDGE • Deleted one at a time. • Implied edges are no considered. • The edges in transitive reduction are candidates for deletion. • Edges connecting the end points of an authority range cannot be deleted. • When edges AB is deleted then necessary edges must be inserted to preserve implications.

  33. System Calls • To create a role in create range Y create-role(r, Y) • To delete a role r delete-role(r) • To add edge AB add-edge(A, B) • To delete an edge AB delete-edge(A, B) • To inactivate a role r inactivate-role (r) • To activate a role r Activate-role (r)

  34. Strong Deletions • Strong deletion of role. • Strong deletion of an edge.

More Related