1 / 29

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment. Brian Garback. © Brian Garback 2005. Talk Outline. RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML Attribute-Based Role Assignment

shea
Télécharger la présentation

XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML for RBAC and CADABRAConstrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005

  2. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  3. Role-Based Access Control Users • Formalized by Sandhu et al. in 1996 Roles Permissions Read Prescription Physician Write Prescription Nurse Read Medical Record Patient Write Medical Record Admin ⋮

  4. Hierarchical RBAC Users Roles Permissions Surgeon Operate Radiologist Interpret X-Ray Physician Write Prescription Patient Read Prescription Read Demographics Universal ⋮

  5. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  6. XACML from • XML extension language to specify and enforce authorization policies • XACML 2.0 approved Feb 2005 • XACML provides: • Context-aware security policy language • Policy combination • Extensibility

  7. XACML System Design

  8. XML Structure

  9. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  10. XACML Profile for RBAC • Draft v2.0 approved Sept. 2004 contains • Assigning Role Attributes • Core and Hierarchical RBAC implementation • Two Shortcomings: • Lacks a clear role assignment specification • No mention of permission delegation

  11. RBXACML Implementation • Role Assignment Policy • Defines which roles are assigned to which subjects • Permission Policy Set • Contains all the permissions associated with a role • Role Policy Set • Associates a role with a PPS • Hierarchy is formed by PPS referencing other PPS’s

  12. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  13. Attribute-Based Role Assignment • Original RBAC: • Al-Kahtani presented ABRA in 2002: Physician subject-id = 5 If subject-id = 5 Physician If holds physician role in highly-trusted remote domain

  14. Delegation • Giving a portion of one’s authority to another • Motivating examples: • Physician to Physician • Permissions while on vacation • Physician to Medical Student • Permission to read a patient’s record

  15. Previous Work in Delegation • 1999 - Sandhu introduced ARBAC • Delegation among role administrators • 2000 – Barka proposed RBDM0 • Multi-step delegation in a role hierarchy • 2002 – Zhang described RDM2000 • A rule based framework for role-based delegation • 2003 – Zhang presented PBDM • Permission-level delegation in a role hierarchy • 2004 – Ye pioneered ABDM • Delegation management and constraints

  16. Constraining Delegation • Which permissions are delegatable • Allow some subset within a role to be delegatable • How permissions can be delegated • Delegation condition • Fulfilled by delegator before he can delegate a permission • Delegate assignment condition • Fulfilled by delegate before a delegated permission can be assigned to him

  17. Maintaining Hierarchical RBAC • Delegation must conform to RBAC requirements • Use standard role definition and assignment • Delegation role assignments are contingent on the delegator’s assignment to the regular role • No user may alter the role hierarchy • Multi-step Delegation • Delegation constraints are inherited by all delegation roles • Hierarchical Delegation • A delegator may delegate a subset of a role’s inherited roles

  18. Revocation • Delegation necessitates Revocation • Methods: • Constrain role assignment by time period • Explicit revocation by a delegator or admin • Multi-step: • If a delegator’s role is revoked, associated delegation roles are revoked

  19. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  20. RBAC & CADABRA Implementation • Two policy types: • Role Assignment Policy (RAP): rules to assign roles to subjects • Permission Policy (PP): permissions associated with a role • Role = { RAP, PP }

  21. XACML for CADABRA

  22. Authorization Architecture

  23. Physician to Medical Student

  24. Talk Outline • RBAC Introduction • XACML Introduction • XACML Profile for RBAC • Enhancements to RBXACML • Attribute-Based Role Assignment • Constrained Delegation of Permission • Design & Implementation • Performance Evaluation

  25. Performance Evaluation • XML: expressiveness vs. efficiency • Compare role assignment time and authorization time to access time • Hospital Scenario: • Users: 50,000 patients, 5,000 staffers • Resources: 50 resource types, 5 actions • Roles: 15 regular roles, 2,000 delegation roles

  26. Performance Evaluation • Pentium 4 3GHz, 1 GB RAM tAuthorization = 71 ms tRole Assignment = 983 ms / 10 = 98 ms tAuthorization + tRole Assignment = 169 ms tPortal Access = 703 ms ( tAuth + tRole Assign ) / ( tAccess + tAuth + tRole Assign ) = 19 % • Analysis: • The additional time for authorization is easily tolerated. • Role-to-User ABRA is not always necessary

  27. Conclusion • Support complex health system requirements • Enhanced XACML’s RBAC profile with CADABRA • Effective policy representation • Dynamic permission definition, assignment, & enforcement • Administrative control over delegation • Performance analysis: • Extended XACML is sufficiently expressive and efficient t Authorization + t Role Assignment = 169 ms

  28. Future Work • Research Directions: • Formalize web-based enterprise request generation • Refine delegation constraints specification and aggregation • Access logging and auditing • Decompose ABRA into user-to-role & role-to-user • Research Documentation: • “XACML for RBAC and CaDABRA: Constrained Delegation and Attribute-Based Role Assignment” submitted to SACMAT 2006

More Related