Role based access control on the web
Download
1 / 23

ROLE-BASED ACCESS CONTROL ON THE WEB - PowerPoint PPT Presentation


  • 136 Views
  • Uploaded on

ROLE-BASED ACCESS CONTROL ON THE WEB. LI LINGTAO OCT 14 ,2003. CONTENT. BACKGROUND (MAC, DAC) Role-Based Access Control Implementation of the RBAC on the Web. Mandatory Access Control (MAC).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' ROLE-BASED ACCESS CONTROL ON THE WEB' - dulcinea-fernandez


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Role based access control on the web

ROLE-BASED ACCESS CONTROL ON THE WEB

LI LINGTAO

OCT 14 ,2003


Content
CONTENT

  • BACKGROUND (MAC, DAC)

  • Role-Based Access Control

  • Implementation of the RBAC on the Web


Mandatory access control mac
Mandatory Access Control (MAC)

MAC ,as defined in the Department of Defense Trusted Computer System Evaluation Criteria, is “A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects to access information of such sensitivity.”


Discretionary access control dac
Discretionary Access Control (DAC)

  • Capabilities

  • Profiles

  • Passwords

  • Protection Bits (UNIX)

  • Access Control List (ACL)

    e.g.

    file A: (Alice, {r, w}), (Bob, {r}), (Dept {w})


Role based access control rbac
Role-Based Access Control (RBAC)

  • With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.


Rbac model
RBAC Model

  • Users are associated with role(s) ,e.g.,

    Jacky: doctor.

  • Roles are associated with privileged operation(s), e.g., doctor: prescribe_drugs, order_tests

  • A user has access to a privilegedoperation only if the user has an authorized role which is associated with that privileged operation.


Rbac model1
RBAC MODEL

Role Hierarchy

Users

Roles

Privileges


Rbac model role relationships
RBAC Model :Role Relationships

  • Roles may be related hierarchically, e.g.,

    surgeon doctor.

  • Roles may have conflict of interest relationships :

    -- Static Separation of Duties (SSD), e.g., comptroller and auditor cannot be authorized for the same user.

    --Dynamic Separation of Duties (DSD), e.g., teller and account_holder can be authorized for the same user but cannot both be active.

  • The number of users authorized for a given role may be limited by the cardinality of that role ,e.g., president has cardinality one.


Role relationships example bank
Role Relationships Example :Bank

Financial_advisor

Teller

Account_rep

Branch_manager

Internal_auditor

Invited_guest

employee

Account_holder

visitor


Rbac on the www
RBAC on the WWW

Problem:

Administrators view organizations in terms of individuals and their roles.

Access to the WWW is enforced by group and access control list (ACL) mechanisms.

Administrators must map their organizational view to these mechanisms.


Rbac on the www1
RBAC on the WWW

Solution: role based access control

  • Access based on user’s organizational role , e.g., doctor, nurse ,bank teller

  • Higher level of abstraction compared to commonly used access control mechanisms , e.g., MLS

  • An administrator’s organizational view IS the access control mechanism.

  • => RBAC valuable for “intra-net” enterprise use of WWW


Security administration with rbac
Security Administration with RBAC

  • For each role :assign privileges operations, e.g., Doctor: prescribe_drugs ,order_tests

  • To give privileges to a user :assign role(s) to user , e.g., Mike: broker, manager, cheat.

  • To remove a user’s privileges : remove role(s) from user, e.g., Mike: cheat


Goals for rbac on the www
Goals for RBAC on the WWW

  • Implementation of RBAC on the WWW (RBAC/Web).

  • RBAC conformance test assertions, i.e., abstract test suite.

  • Testing software to validate RBAC/Web conformance to test assertions.


Rbac web implementation
RBAC/Web Implementation

  • Uses existing WWW technology.

  • Can be used with any browser.

  • Can be used with any authentication mechanism, e.g., SSL, SHTTP, PCT.

  • Privileged operations are HTTP methods, e.g., GET, POST, PUT.

  • Available for Unix (e.g., Netscape, Apache) and Windows NT (e.g., IIS, Website)


Rbac web component
RBAC/Web Component

  • Unix & NT: Database Definition

    Admin Tool

    Database Server

    Session Manager

  • Unix Only: API Library

    CGI


Rbac web database definition
RBAC/Web Database Definition

Data sets which specify:

  • Association between users and their roles.

  • Role hierarchy.

  • SSD relationships.

  • DSD relationships.

  • ARSs( active role sets)

  • Association between WWW server files, HTTP methods ,and roles.


Rbac web admin tool
RBAC/Web Admin Tool

  • Accessed by means of a WWW browser.

  • Creates users and roles .

  • Associates users with roles and roles with HTTP methods applies to files .

  • Specifies roles relationships, i.e., hierarchy, SSD, DSD.


Rbac web database server
RBAC/Web Database Server

  • Hosts the authoritative copies of the data sets defining users ,roles ,and role relationships.

  • Notifies WWW servers to update their cached of these data sets when authoritative copies change.


Rbac web session manager
RBAC/Web Session Manager

  • Manages the RBAC Session.

  • Creates and removes users’ active role sets.


Rbac web api library
RBAC/Web API Library

  • C and Perl Library

  • Used by WWW servers and CGIs to access the RBAC/Web Database .

  • Some WWW servers ,e.g., Netscape ,Apache, need not be recompiled.


Rbac web cgi
RBAC/Web CGI

  • Implements RBAC on the WWW as a CGI.

  • Existing WWW servers need not be modified.


Rbac web use
RBAC/Web Use

establish RBAC session

web server

present ARS choices

browser

choose ARS

RBAC

Database

(cached)

Session established

user

URL

response


References
References

  • J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based Access Control for the World Wide Web" , 20th National Computer Security Conference (1997)

  • J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "Role-Based Access Control for the Web" , CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998).