xacml for rbac and cadabra constrained delegation and attribute based role assignment
Download
Skip this Video
Download Presentation
XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment

Loading in 2 Seconds...

play fullscreen
1 / 29

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment. Brian Garback. © Brian Garback 2005. Talk Outline. RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML Attribute-Based Role Assignment

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment' - shea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
xacml for rbac and cadabra constrained delegation and attribute based role assignment

XACML for RBAC and CADABRAConstrained Delegation and Attribute-Based Role Assignment

Brian Garback

© Brian Garback 2005

talk outline
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
role based access control
Role-Based Access Control

Users

  • Formalized by Sandhu et al. in 1996

Roles

Permissions

Read Prescription

Physician

Write Prescription

Nurse

Read Medical Record

Patient

Write Medical Record

Admin

hierarchical rbac
Hierarchical RBAC

Users

Roles

Permissions

Surgeon

Operate

Radiologist

Interpret X-Ray

Physician

Write Prescription

Patient

Read Prescription

Read Demographics

Universal

talk outline1
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
xacml from
XACML from
  • XML extension language to specify and enforce authorization policies
  • XACML 2.0 approved Feb 2005
  • XACML provides:
    • Context-aware security policy language
    • Policy combination
    • Extensibility
talk outline2
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
xacml profile for rbac
XACML Profile for RBAC
  • Draft v2.0 approved Sept. 2004 contains
    • Assigning Role Attributes
    • Core and Hierarchical RBAC implementation
  • Two Shortcomings:
    • Lacks a clear role assignment specification
    • No mention of permission delegation
rbxacml implementation
RBXACML Implementation
  • Role Assignment Policy
    • Defines which roles are assigned to which subjects
  • Permission Policy Set
    • Contains all the permissions associated with a role
  • Role Policy Set
    • Associates a role with a PPS
  • Hierarchy is formed by PPS referencing other PPS’s
talk outline3
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
attribute based role assignment
Attribute-Based Role Assignment
  • Original RBAC:
  • Al-Kahtani presented ABRA in 2002:

Physician

subject-id = 5

If subject-id = 5

Physician

If holds physician role in

highly-trusted remote domain

delegation
Delegation
  • Giving a portion of one’s authority to another
  • Motivating examples:
    • Physician to Physician
      • Permissions while on vacation
    • Physician to Medical Student
      • Permission to read a patient’s record
previous work in delegation
Previous Work in Delegation
  • 1999 - Sandhu introduced ARBAC
    • Delegation among role administrators
  • 2000 – Barka proposed RBDM0
    • Multi-step delegation in a role hierarchy
  • 2002 – Zhang described RDM2000
    • A rule based framework for role-based delegation
  • 2003 – Zhang presented PBDM
    • Permission-level delegation in a role hierarchy
  • 2004 – Ye pioneered ABDM
    • Delegation management and constraints
constraining delegation
Constraining Delegation
  • Which permissions are delegatable
    • Allow some subset within a role to be delegatable
  • How permissions can be delegated
    • Delegation condition
      • Fulfilled by delegator before he can delegate a permission
    • Delegate assignment condition
      • Fulfilled by delegate before a delegated permission can be assigned to him
maintaining hierarchical rbac
Maintaining Hierarchical RBAC
  • Delegation must conform to RBAC requirements
    • Use standard role definition and assignment
    • Delegation role assignments are contingent on the delegator’s assignment to the regular role
    • No user may alter the role hierarchy
  • Multi-step Delegation
    • Delegation constraints are inherited by all delegation roles
  • Hierarchical Delegation
    • A delegator may delegate a subset of a role’s inherited roles
revocation
Revocation
  • Delegation necessitates Revocation
  • Methods:
    • Constrain role assignment by time period
    • Explicit revocation by a delegator or admin
  • Multi-step:
    • If a delegator’s role is revoked, associated delegation roles are revoked
talk outline4
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
rbac cadabra implementation
RBAC & CADABRA Implementation
  • Two policy types:
    • Role Assignment Policy (RAP): rules to assign roles to subjects
    • Permission Policy (PP): permissions associated with a role
  • Role = { RAP, PP }
talk outline5
Talk Outline
  • RBAC Introduction
  • XACML Introduction
  • XACML Profile for RBAC
  • Enhancements to RBXACML
    • Attribute-Based Role Assignment
    • Constrained Delegation of Permission
  • Design & Implementation
  • Performance Evaluation
performance evaluation
Performance Evaluation
  • XML: expressiveness vs. efficiency
    • Compare role assignment time and authorization time to access time
  • Hospital Scenario:
    • Users: 50,000 patients, 5,000 staffers
    • Resources: 50 resource types, 5 actions
    • Roles: 15 regular roles, 2,000 delegation roles
performance evaluation1
Performance Evaluation
  • Pentium 4 3GHz, 1 GB RAM

tAuthorization = 71 ms

tRole Assignment = 983 ms / 10 = 98 ms

tAuthorization + tRole Assignment = 169 ms

tPortal Access = 703 ms

( tAuth + tRole Assign ) / ( tAccess + tAuth + tRole Assign ) = 19 %

  • Analysis:
    • The additional time for authorization is easily tolerated.
    • Role-to-User ABRA is not always necessary
conclusion
Conclusion
  • Support complex health system requirements
  • Enhanced XACML’s RBAC profile with CADABRA
    • Effective policy representation
    • Dynamic permission definition, assignment, & enforcement
    • Administrative control over delegation
  • Performance analysis:
    • Extended XACML is sufficiently expressive and efficient

t Authorization + t Role Assignment = 169 ms

future work
Future Work
  • Research Directions:
    • Formalize web-based enterprise request generation
    • Refine delegation constraints specification and aggregation
    • Access logging and auditing
    • Decompose ABRA into user-to-role & role-to-user
  • Research Documentation:
    • “XACML for RBAC and CaDABRA: Constrained Delegation and Attribute-Based Role Assignment” submitted to SACMAT 2006
ad