Delegation in Role-Based Access Control Controlling delegation - - PowerPoint PPT Presentation

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation in Role-Based Access Control

Jason Crampton · Hemanth Khambhammettu

Information Security Group, Royal Holloway, University of London

ESORICS · Hamburg · 2006

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Outline

1

Introduction

2

Delegation operations in hierarchical RBAC

3

Controlling delegation

4

Enforcing transfer delegation semantics

5

Conclusion

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation

Delegation is a lightweight method for assigning temporary permissions to a user A delegator is required to be authorized for the delegated permission

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation

Delegation is a lightweight method for assigning temporary permissions to a user A delegator is required to be authorized for the delegated permission Administration is a general term for the methods by which an authorization policy can be updated (including authorizing a user for a permission) An administrator is not necessarily required to be authorized for the permission

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations

Grant A delegator may grant a permission p to a delegatee The delegator is still authorized for p Monotonic

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations

Grant A delegator may grant a permission p to a delegatee The delegator is still authorized for p Monotonic Transfer A delegator may transfer p The delegator is no longer authorized for p Non-monotonic

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Role hierarchy A partially ordered set of roles (R, )

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Role hierarchy A partially ordered set of roles (R, ) User-role assignment relation UA ⊆ U × R

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Role hierarchy A partially ordered set of roles (R, ) User-role assignment relation UA ⊆ U × R Permission-role assignment relation PA ⊆ P × R

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Authorized roles u is authorized for role r′ if there exists r r′ and (u, r) ∈ UA

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Authorized roles u is authorized for role r′ if there exists r r′ and (u, r) ∈ UA Authorized permissions u is authorized for permission p if there exists a role r for which u is authorized and (p, r) ∈ PA

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Sessions u creates a session by activating some subset of the roles for which she is authorized

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Role-based access control

Sessions u creates a session by activating some subset of the roles for which she is authorized Authorized requests A request by u for permission p is granted if u has activated a role r such that (p, r) ∈ PA

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Motivation

Delegation in RBAC has focused on delegation of roles (interpreted as a set of permissions)

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Motivation

Delegation in RBAC has focused on delegation of roles (interpreted as a set of permissions) Existing models for delegation in RBAC only consider grant

• perations

The existence of the hierarchy makes enforcing transfer

• perations difficult

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Motivation

Delegation in RBAC has focused on delegation of roles (interpreted as a set of permissions) Existing models for delegation in RBAC only consider grant

• perations

The existence of the hierarchy makes enforcing transfer

• perations difficult

Existing models for delegation are simplistic and lack controls

• n the propagation of permissions and roles

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

1

Introduction

2

Delegation operations in hierarchical RBAC

3

Controlling delegation

4

Enforcing transfer delegation semantics

5

Conclusion

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

grantRole(u, v, d) Delegator u grants role d to delegatee v

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

grantRole(u, v, d) Delegator u grants role d to delegatee v u continues to be authorized for all roles in ↓d

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleStrong(u, v, d) Delegator u transfers role d to delegatee v

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleStrong(u, v, d) Delegator u transfers role d to delegatee v u is no longer authorized for any role in ↓d

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleStatic(u, v, d) Delegator u transfers role d to delegatee v

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleStatic(u, v, d) Delegator u transfers role d to delegatee v u is no longer authorized for any role x ∈ ↓d unless there exists r = d such that r x and (u, r) ∈ UA

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleDynamic(u, v, d) Delegator u transfers role d to delegatee v

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Delegation operations and their semantics

transferRoleDynamic(u, v, d) Delegator u transfers role d to delegatee v u is no longer authorized for any role x ∈ ↓d unless u has activated a role r = d such that r x

a c f h e b d g a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Administrative scope

Fundamental concept in the RHA family of administrative models Maps a role r to a set of roles σ(r) σ(r) = {r′ r : ↑r′ ⊆ ↓r ∪ ↑r} If r′ ∈ σ(r), every path upwards from r′ passes through r

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Administrative scope

Fundamental concept in the RHA family of administrative models Maps a role r to a set of roles σ(r) σ(r) = {r′ r : ↑r′ ⊆ ↓r ∪ ↑r} If r′ ∈ σ(r), every path upwards from r′ passes through r σ(a) = {a, b, . . . , h} σ(b) = {b, d} σ(d) = {d}

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Administrative scope and delegation operations

It can be shown that the set of roles denied by a static transfer of r is σ(r) by a dynamic transfer of r is σ(r), where σ is evaluated in the sub-poset of R generated by the set of activated roles

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

1

Introduction

2

Delegation operations in hierarchical RBAC

3

Controlling delegation

4

Enforcing transfer delegation semantics

5

Conclusion

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Should a delegation request be granted?

A delegator u makes a request to delegate role r to delegatee v

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Should a delegation request be granted?

A delegator u makes a request to delegate role r to delegatee v Is the delegator authorized to delegate a role or permission that is available to him?

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Should a delegation request be granted?

A delegator u makes a request to delegate role r to delegatee v Is the delegator authorized to delegate a role or permission that is available to him? Should the delegatee receive the delegated role or permission?

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Should a delegation request be granted?

A delegator u makes a request to delegate role r to delegatee v Is the delegator authorized to delegate a role or permission that is available to him? Should the delegatee receive the delegated role or permission?

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using delegation relations

can-delegate ⊆ R × R (r, r′) ∈ can-delegate means that u can delegate role r′ if she has activated role r For all (r, r′) ∈ can-delegate we require r r′

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using delegation relations

can-delegate ⊆ R × R (r, r′) ∈ can-delegate means that u can delegate role r′ if she has activated role r For all (r, r′) ∈ can-delegate we require r r′ can-receive ⊆ R × 2R (r, C) ∈ can-receive means that v can receive role r if she is assigned to all roles in C Optionally, we may require that for all (r, C) ∈ can-receive and for all r′ ∈ C, r r′

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

The administrative scope of a session s is defined to be

• r∈s

σ(r)

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

The administrative scope of a session s is defined to be

• r∈s

σ(r) A user u running session s may delegate r′ if r′ ∈ σ(s) u may delegate any role she controls (as defined by σ)

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

The administrative scope of a session s is defined to be

• r∈s

σ(r) A user u running session s may delegate r′ if r′ ∈ σ(s) u may delegate any role she controls (as defined by σ) A user v may receive the delegation of role r′ from user u if for all r < r′ such that r ∈ σ(s), v is authorized for r u may not (indirectly) authorize v (via the delegation of r) for any roles that u does not control

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

A user u who has activated b can delegate role d because d ∈ σ(b)

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

A user u who has activated b can delegate role d because d ∈ σ(b) A request by u to delegate d to a user v who is already assigned to g will be granted

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Using administrative scope

A user u who has activated b can delegate role d because d ∈ σ(b) A request by u to delegate d to a user v who is already assigned to g will be granted A request by u to delegate d to a user w who is only assigned to h will be denied

a c f h e b d g

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Comparison

Relation-based approach Very similar to ARBAC97 (Sandhu et al) and a number of delegation models related to ARBAC97 The novelty of our approach is to separate the conditions

• n giving and receiving delegated roles

This provides greater modularity and ease of management

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Comparison

Relation-based approach Very similar to ARBAC97 (Sandhu et al) and a number of delegation models related to ARBAC97 The novelty of our approach is to separate the conditions

• n giving and receiving delegated roles

This provides greater modularity and ease of management The increase in power of a delegatee is determined by the configuration of can-receive Changes to the role hierarchy may “break” the delegation relations

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Comparison

Administrative scope-based approach Very similar to RHA family of administrative models (Crampton and Loizou) Delegation is controlled by the shape of the hierarchy and the delegator’s own capabilities

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Comparison

Administrative scope-based approach Very similar to RHA family of administrative models (Crampton and Loizou) Delegation is controlled by the shape of the hierarchy and the delegator’s own capabilities The increase in power of a delegatee is limited by the power of the delegator It is not fragile with respect to changes in the hierarchy

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

1

Introduction

2

Delegation operations in hierarchical RBAC

3

Controlling delegation

4

Enforcing transfer delegation semantics

5

Conclusion

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Recording delegations

The delegation history relation DH records all successful delegation requests Contains a unique identifier, the delegator, the delegatee, the delegated role, and a delegation mask

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Recording delegations

The delegation history relation DH records all successful delegation requests Contains a unique identifier, the delegator, the delegatee, the delegated role, and a delegation mask The tempUA relation records all user-role assignments that arise from delegation operations (i, u, r, +) ∈ tempUA means that u (as a delegatee) is assigned to r (as a result of delegation operation with identifier i) (i, u, r, −) ∈ tempUA means that u (as a delegator) is no longer assigned to r (as a result of a transfer operation)

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Examples

transferRoleStrong(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ r}

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Examples

transferRoleStrong(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ r} transferRoleStatic(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ ∈ σ(u, ↓R(u))}

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Examples

transferRoleStrong(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ r} transferRoleStatic(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ ∈ σ(u, ↓R(u))} transferRoleDynamic(u, v, r) tempUA ← tempUA ∪ {(i, v, r, +)} ∪ {(i, u, r′, −) : r′ ∈ σ(u, ↓s(u))}

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Deciding access requests

Authorized roles A user u is authorized for role r′ if there exists r r′ and (u, r) ∈ UA and there does not exist a tuple (i, u, r′, −) ∈ tempUA

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Deciding access requests

Authorized roles A user u is authorized for role r′ if there exists r r′ and (u, r) ∈ UA and there does not exist a tuple (i, u, r′, −) ∈ tempUA Authorized permissions u is authorized for permission p if there exists a role r for which u is authorized and (p, r) ∈ PA and there does not exist a tuple (i, u, p, −) ∈ tempPA

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

1

Introduction

2

Delegation operations in hierarchical RBAC

3

Controlling delegation

4

Enforcing transfer delegation semantics

5

Conclusion

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Contributions and related work

Characteristic RBDM0 RDM2000 PBDM Our model Role delegation ✓ ✓ ✓ ✓ Permission delegation ✗ ✗ ✓ ✓ Grant delegation ✓ ✓ ✓ ✓ Transfer delegation ✗ ✗ ✗ ✓ Controlling delegations ✓ ✓ ✓ ✓ Implicit updates ✗ ✗ ✗ ✓ Delegation history ✗ ✓ ✗ ✓ Temporary assignments ✓ ✓ ✓ ✓ Revocation ✓ ✓ ✓ ✓

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Future work

Develop a model and operational semantics for revocation Investigate the use of our delegation model in workflow systems Investigate the synthesis of existing delegation and administrative models

Introduction Delegation

• perations in

hierarchical RBAC Controlling delegation Enforcing transfer delegation semantics Conclusion

Questions