Xacml for rbac and cadabra constrained delegation and attribute based role assignment
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on
  • Presentation posted in: General

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment. Brian Garback. © Brian Garback 2005. Talk Outline. RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML Attribute-Based Role Assignment

Download Presentation

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Xacml for rbac and cadabra constrained delegation and attribute based role assignment

XACML for RBAC and CADABRAConstrained Delegation and Attribute-Based Role Assignment

Brian Garback

© Brian Garback 2005


Talk outline

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Role based access control

Role-Based Access Control

Users

  • Formalized by Sandhu et al. in 1996

Roles

Permissions

Read Prescription

Physician

Write Prescription

Nurse

Read Medical Record

Patient

Write Medical Record

Admin


Hierarchical rbac

Hierarchical RBAC

Users

Roles

Permissions

Surgeon

Operate

Radiologist

Interpret X-Ray

Physician

Write Prescription

Patient

Read Prescription

Read Demographics

Universal


Talk outline1

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Xacml from

XACML from

  • XML extension language to specify and enforce authorization policies

  • XACML 2.0 approved Feb 2005

  • XACML provides:

    • Context-aware security policy language

    • Policy combination

    • Extensibility


Xacml system design

XACML System Design


Xml structure

XML Structure


Talk outline2

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Xacml profile for rbac

XACML Profile for RBAC

  • Draft v2.0 approved Sept. 2004 contains

    • Assigning Role Attributes

    • Core and Hierarchical RBAC implementation

  • Two Shortcomings:

    • Lacks a clear role assignment specification

    • No mention of permission delegation


Rbxacml implementation

RBXACML Implementation

  • Role Assignment Policy

    • Defines which roles are assigned to which subjects

  • Permission Policy Set

    • Contains all the permissions associated with a role

  • Role Policy Set

    • Associates a role with a PPS

  • Hierarchy is formed by PPS referencing other PPS’s


Talk outline3

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Attribute based role assignment

Attribute-Based Role Assignment

  • Original RBAC:

  • Al-Kahtani presented ABRA in 2002:

Physician

subject-id = 5

If subject-id = 5

Physician

If holds physician role in

highly-trusted remote domain


Delegation

Delegation

  • Giving a portion of one’s authority to another

  • Motivating examples:

    • Physician to Physician

      • Permissions while on vacation

    • Physician to Medical Student

      • Permission to read a patient’s record


Previous work in delegation

Previous Work in Delegation

  • 1999 - Sandhu introduced ARBAC

    • Delegation among role administrators

  • 2000 – Barka proposed RBDM0

    • Multi-step delegation in a role hierarchy

  • 2002 – Zhang described RDM2000

    • A rule based framework for role-based delegation

  • 2003 – Zhang presented PBDM

    • Permission-level delegation in a role hierarchy

  • 2004 – Ye pioneered ABDM

    • Delegation management and constraints


Constraining delegation

Constraining Delegation

  • Which permissions are delegatable

    • Allow some subset within a role to be delegatable

  • How permissions can be delegated

    • Delegation condition

      • Fulfilled by delegator before he can delegate a permission

    • Delegate assignment condition

      • Fulfilled by delegate before a delegated permission can be assigned to him


Maintaining hierarchical rbac

Maintaining Hierarchical RBAC

  • Delegation must conform to RBAC requirements

    • Use standard role definition and assignment

    • Delegation role assignments are contingent on the delegator’s assignment to the regular role

    • No user may alter the role hierarchy

  • Multi-step Delegation

    • Delegation constraints are inherited by all delegation roles

  • Hierarchical Delegation

    • A delegator may delegate a subset of a role’s inherited roles


Revocation

Revocation

  • Delegation necessitates Revocation

  • Methods:

    • Constrain role assignment by time period

    • Explicit revocation by a delegator or admin

  • Multi-step:

    • If a delegator’s role is revoked, associated delegation roles are revoked


Talk outline4

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Rbac cadabra implementation

RBAC & CADABRA Implementation

  • Two policy types:

    • Role Assignment Policy (RAP): rules to assign roles to subjects

    • Permission Policy (PP): permissions associated with a role

  • Role = { RAP, PP }


Xacml for cadabra

XACML for CADABRA


Authorization architecture

Authorization Architecture


Physician to medical student

Physician to Medical Student


Talk outline5

Talk Outline

  • RBAC Introduction

  • XACML Introduction

  • XACML Profile for RBAC

  • Enhancements to RBXACML

    • Attribute-Based Role Assignment

    • Constrained Delegation of Permission

  • Design & Implementation

  • Performance Evaluation


Performance evaluation

Performance Evaluation

  • XML: expressiveness vs. efficiency

    • Compare role assignment time and authorization time to access time

  • Hospital Scenario:

    • Users: 50,000 patients, 5,000 staffers

    • Resources: 50 resource types, 5 actions

    • Roles: 15 regular roles, 2,000 delegation roles


Performance evaluation1

Performance Evaluation

  • Pentium 4 3GHz, 1 GB RAM

    tAuthorization = 71 ms

    tRole Assignment = 983 ms / 10 = 98 ms

    tAuthorization + tRole Assignment = 169 ms

    tPortal Access = 703 ms

    ( tAuth + tRole Assign ) / ( tAccess + tAuth + tRole Assign ) = 19 %

  • Analysis:

    • The additional time for authorization is easily tolerated.

    • Role-to-User ABRA is not always necessary


Conclusion

Conclusion

  • Support complex health system requirements

  • Enhanced XACML’s RBAC profile with CADABRA

    • Effective policy representation

    • Dynamic permission definition, assignment, & enforcement

    • Administrative control over delegation

  • Performance analysis:

    • Extended XACML is sufficiently expressive and efficient

t Authorization + t Role Assignment = 169 ms


Future work

Future Work

  • Research Directions:

    • Formalize web-based enterprise request generation

    • Refine delegation constraints specification and aggregation

    • Access logging and auditing

    • Decompose ABRA into user-to-role & role-to-user

  • Research Documentation:

    • “XACML for RBAC and CaDABRA: Constrained Delegation and Attribute-Based Role Assignment” submitted to SACMAT 2006


  • Login