Announcements CS590U � Class mailing list Access Control: Theory and � David Ferraiolo visit on Sep 16/17 Practice � sign-up sheet to meet him after the class � Proposal due Sep 30 (20% of grade) Lecture 5 (September 9 th ) � Student lectures (From Oct 16 to Nov The Proposed NIST RBAC 25) Standard and Constraints 2 Topics Covered Previously Topics to Be Covered � Why a course on access control � Trust management � Principles of access control � PolicyMaker, KeyNote, SPKI/SDSI, RT � Access Matrix Model � background on logic and Datalog � Graham-Denning � Access control in databases � HRU (adequacy of the simple safety � Mandatory Access Control problem) � Guest lectures � DAC, MAC � Student lectures � RBAC: RBAC96 model 3 4 Overview of the Proposal NIST Standard for RBAC Core RBAC (1) � USERS � ROLES Dynamic Static � OBS Hierarchical Separation Separation of � OPS RBAC of Duties Duties � PRMS = 2 ( OPS× OBS ) � Op : ( p : PRMS ) → 2 OPS Core RBAC � Ob : ( p : PRMS ) → 2 OBS 5 6 1
Core RBAC (2) Core RBAC (3) � UA ⊆ USERS × ROLES � SESSIONS � assigned_users : ( r : Roles ) → 2 USERS � session_users : ( s : SESSIONS ) → USERS � PA ⊆ PRMS × ROLES � user_sessions : ( u : USERS ) → 2 SESSIONS � assigned_permissions : ( r : Roles ) → 2 PRMS � session_roles : ( s : SESSIONS ) → 2 ROLES � avail_session_perms : ( s : SESSIONS ) → 2 PRMS 7 8 Hierarchical RBAC: Hierarchical RBAC: Generalized Role Hierarchies Limited Role Hierarchies � RH ⊆ ROLES × ROLES � Role Hierarchies with the limitation that each role has at most one immediate � user inheritance & permission inheritance � we say r 1 inherits r 2 if r 1 ≥ r 2 senior � authorized_users : ( r : Roles ) → 2 USERS � Role hierarchies form a forest � authorized_permissions : ( r : Roles ) → 2 PRMS 9 10 Constrained RBAC: Constrained RBAC: Motivations Static SoD � SSD ⊆ (2 ROLES × N) is a collection of pairs Example of SoD � ( rs , n ) The following duties shall be performed � by different individuals: � rs : a role set Check request reviewer n ≥ 2 is a natural number � n : 1. Check preparer 2. � For each ( rs , n ), no user is authorized Check issuer 3. for n or more roles in rs Check deliverer 4. Ledger reviewer 5. 11 12 2
Constrained RBAC: SoD with Role Hierarchies Dynamic SoD � DSD ⊆ (2 ROLES × N) is a collection of pairs � Two roles can be mutually exclusive only if neither one inherits the other ( rs , n ) � rs : a role set � If two roles are mutually exclusive, no n ≥ 2 is a natural number role can inherit from both � n : � For each ( rs , n ), no user is allowed to � If two roles are mutually exclusive, activate n or more roles in rs in one there can be no “root” or “super user”. session 13 14 Functional Specification Functional Specifications for Core RBAC (1) � Administrative functions � Administrative functions � Supporting system functions � AddUser, DeleteUser, AddRole, DeleteRole � AssignUser, DeassignUser � Review functions � GrantPermission, RevokePermission � Supporting system functions � CreateSession, AddActiveRole, DropActiveRole, CheckAccess 15 16 Functional Specification Functional Specification for Core RBAC (2) for Hierarchical RBAC (1) � Review functions (mandatory) � Administrative functions � all the administrative functions for core � AssignedUsers(r), AssigendRoles(u) � semantics for some functions may need to be � Review functions (optional) redefined � RolePermission(r), UserPermission(u) � AddInheritance, DeleteInheritance � SessionRoles(s), SessionPermissions(s) � AddAscendant, AddDescendant � Supporting System Functions � RoleOperationsOnObject(o) � Same as core (issue of activation � UserOperationsOnObject(o) hierarchy) 17 18 3
Functional Specification Functional Specification for for Hierarchical RBAC (2) SSD (1) � Administrative functions � Review functions (mandatory) � all the administrative functions for core � AssignedUsers(r), AssigendRoles(u) � CreateSSDSet, DeleteSSDSet � AuthorizedUsers(r), AuthorizedRoles(u) � AddSSDRoleMember � Review functions (optional) � DeleteSSDRoleMember � All the optional review functions for core � SetSSDCardinality � Supporting system functions � same as core 19 20 Functional Specification for Functional Specification for SSD (2) DSD (1) � Administrative functions � Review functions � all the administrative functions for core � all the review functions for core � CreateDSDSet, DeleteDSDSet � SSDRoleSets � AddDSDRoleMember � SSDRoleSetRoles � DeleteDSDRoleMember � SSDRoleSetCardinality � SetDSDCardinality � Supporting system functions � same as core 21 22 Functional Specification for SoD and Permission DSD (2) Assignments (1) � Review functions � Mutually exclusive roles is a means rather than an end � all the review functions for core � DSDRoleSets � SoD is the goal: � DSDRoleSetRoles � no single user possesses all the permissions needed to accomplish a � DSDRoleSetCardinality sensitive task 23 24 4
SoD and Permission Assignments (2) A Project Topic (1) � A permission assignment problem � How do we know SoD goals has been achieved by constraints? � Giving a set of tasks where each task requires a set of permissions, assign � sensitive tasks and the permissions they permissions to roles such that no single require need to be identified role has access to all permissions required � SoD may be more complicated by any task � a sensitive task may be completed by a � Graph coloring problem user having some property 25 26 A Project Topic (2) Temporal constraints � Tasks: � Why temporal constraints � Design a language to specify SoD � limit resource use objectives. � may be required for controlling time- � Given SoD objectives and permission sensitive activities assignments, verify that constraints satisfy � TRBAC [Bertino, Bonatti, and Ferrari] the objectives. � Assume a fixed permission assignments, � GTRBAC [Joshi, Bertino, and Ghafoor] generate mutually exclusive constraints to satisfy the SoD objectives. 27 28 Representation of time-related General form of temporal concepts constraints � Periodicity ([Begin, End], P ) � ( X , E ) � P is the periodic expression denoting a set � X is either a periodic time or a duration of periodic time instants � E is an event expression � e.g., ([1/1/2002, 12/31/2002], Mondays), (([1-Nov-2002,31-March-2003], 22-06) � Duration D � specifies a length of time 29 30 5
Temporal Constraints Temporal Constraints � Role-enabling and -disabling constraints � Role-activation and –deactivation constraints � Periodicity constraints, e.g., (([1-Nov-2002,31-March-2003], 22-06), � only duration is allowed enable doctor-on-call) � e.g., (45 Min, active download-SHR) � Duration constraints � Temporal constraints on user-role (2 Hours, enable NurseInTraining) assignments � e.g., ([1-Nov-2002,31-Dec-2002], assign Dr.Ken to consulting-physician) 31 32 Temporal constraints and Role Hierarchies � Permission inheritance becomes more complicated � a junior role may not be enabled 33 6
Recommend
More recommend
