940 likes | 977 Vues
Role-Based Access Control. Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. Access Control Models: A perspective. Access Matrix Model (Lampson 1971). Objects (and Subjects). G. F. S u b j e c t s. r. r w.
E N D
Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu
Access Matrix Model (Lampson 1971) Objects (and Subjects) G F S u b j e c t s r r w U rights r w V
Access Matrix Model • Separates authentication from authorization • Rights are persistent • These items have come into question in recent times, but that is a topic for another talk. • Separates model from implementation • Policy versus mechanism • This separation continues to be valuable and will be discussed and refined later in this talk.
MAC, DAC and RBAC • For 25 years (1971-96) access control was divided into • Mandatory Access Control (MAC) • Discretionary Access Control (DAC) • Since the early-mid 1990’s Role-Based Access Control (RBAC) has become a dominant force • RBAC subsumes MAC and DAC • RBAC is not the “final” answer BUT is a critical piece of the “final” answer
Mandatory Access Control (MAC) TS S Lattice of security labels C Information Flow Dominance U Rights are determined by security labels (Bell-LaPadula 1971)
Mandatory Access Control (MAC) Objects (and Subjects) G F S u b j e c t s r r w U r w V security label of F must dominate or equal security label of G
Discretionary Access Control (DAC) • The owner of a resource determines access to that resource • The owner is often the creator of the resource • Fails to distinguish read from copy • This distinction has re-emerged recently under the name Dissemination Control (DCON)
Discretionary Access Control (DAC) Objects (and Subjects) G F S u b j e c t s r r w U r w V
Discretionary Access Control (DAC) Objects (and Subjects) G F r w own S u b j e c t s r U r w own V Rights are determined by the owners
Beyond DAC and MAC • Many attempts were made • Domain-Type enforcement (Boebert-Kain 1985) • Clark-Wilson (1987) • Chinese Walls (Brewer-Nash 1989) • Harrison-Ruzzo-Ullman (1976) • Schematic Protection Model (Sandhu 1985) • Typed Access Matrix Model (Sandhu 1992) • ………………… • RBAC solves this problem
Role-Based Access Control:The RBAC96 Model Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, “Role-Based Access Control Models.” IEEE Computer, Volume 29, Number 2, February 1996, pages 38-47.
ROLE-BASED ACCESS CONTROL (RBAC) • A user’s permissions are determined by the user’s roles • rather than identity or clearance • roles can encode arbitrary attributes • multi-faceted • ranges from very simple to very sophisticated
Central concept of RBAC USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERS ROLES PERMISSIONS
WHAT IS THE POLICY IN RBAC? • RBAC is a framework to help in articulating policy • The main point of RBAC is to facilitate security management
RBAC SECURITY PRINCIPLES • least privilege • separation of duties • separation of administration and access • abstract operations
RBAC96 IEEE Computer Feb. 1996 • Policy neutral • can be configured to do MAC • roles simulate clearances (ESORICS 96) • can be configured to do DAC • roles simulate identity (RBAC98)
WHAT IS RBAC? • multidimensional • open ended • ranges from simple to sophisticated
RBAC CONUNDRUM • turn on all roles all the time • turn on one role only at a time • turn on a user-specified subset of roles
RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS RBAC96 FAMILY OF MODELS RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC0 BASIC RBAC
USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERS ROLES PERMISSIONS ... SESSIONS RBAC0
PERMISSIONS • Primitive permissions • read, write, append, execute • Abstract permissions • credit, debit, inquiry
PERMISSIONS • System permissions • Auditor • Object permissions • read, write, append, execute, credit, debit, inquiry
PERMISSIONS • Permissions are positive • No negative permissions or denials • negative permissions and denials can be handled by constraints • No duties or obligations • outside scope of access control
ROLES AS POLICY • A role brings together • a collection of users and • a collection of permissions • These collections will vary over time • A role has significance and meaning beyond the particular users and permissions brought together at any moment
ROLES VERSUS GROUPS • Groups are often defined as • a collection of users • A role is • a collection of users and • a collection of permissions • Some authors define role as • a collection of permissions
USERS • Users are • human beings or • other active agents • Each individual should be known as exactly one user
USER-ROLE ASSIGNMENT • A user can be a member of many roles • Each role can have many users as members
SESSIONS • A user can invoke multiple sessions • In each session a user can invoke any subset of roles that the user is a member of
PERMISSION-ROLE ASSIGNMENT • A permission can be assigned to many roles • Each role can have many permissions
MANAGEMENT OF RBAC • Option 1: • USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer • Option 2: • Use RBAC to manage RBAC
... RBAC1 ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERS ROLES PERMISSIONS SESSIONS
HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Physician Health-Care Provider
Supervising Engineer Hardware Engineer Software Engineer Engineer HIERARCHICAL ROLES
Hardware Engineer’ Software Engineer’ Supervising Engineer Hardware Engineer Software Engineer Engineer PRIVATE ROLES
EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)
EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)
EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 PROJECT 2
EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 PROJECT 2
... RBAC3 ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS CONSTRAINTS SESSIONS
CONSTRAINTS • Mutually Exclusive Roles • Static Exclusion: The same individual can never hold both roles • Dynamic Exclusion: The same individual can never hold both roles in the same context
CONSTRAINTS • Mutually Exclusive Permissions • Static Exclusion: The same role should never be assigned both permissions • Dynamic Exclusion: The same role can never hold both permissions in the same context
CONSTRAINTS • Cardinality Constraints on User-Role Assignment • At most k users can belong to the role • At least k users must belong to the role • Exactly k users must belong to the role
CONSTRAINTS • Cardinality Constraints on Permissions-Role Assignment • At most k roles can get the permission • At least k roles must get the permission • Exactly k roles must get the permission
The NIST-ANSI and (hopefully) soon-to-be ISO RBAC Standard Model David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli. “Proposed NIST Standard for Role-Based Access Control.” ACM Transactions on Information and System Security, Volume 4, Number 3, August 2001, pages 224-274.
The NIST-ANSI-ISO RBAC Model • Adds much needed detail and consensus agreement to the RBAC96 model and other contemporary models • Focuses on areas where consensus agreement exists and commercial implementations have been demonstrated • Leaves many important areas for future work • Eventual goal is much more ambitious • Test suite for conformance testing
RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS RBAC96 FAMILY OF MODELS RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC0 BASIC RBAC
The NIST-ANSI-ISO RBAC Model • Additional details • Administrative Functions • Supporting System Functions • Review Functions