© 2005 Ravi Sandhuwww.list.gmu.edu

Administrative Scope(best viewed in slide show mode)

Ravi SandhuLaboratory for Information Security Technology

George Mason Universitywww.list.gmu.edusandhu@gmu.edu

2

© 2005 Ravi Sandhuwww.list.gmu.edu

Administrative Scope

• Jason Crampton and George Loizou. “Administrative scope: A foundation for role-based administrative models.” ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages 201-231.

• Several diagrams and text excerpts are taken directly from this paper.

3

© 2005 Ravi Sandhuwww.list.gmu.edu

Administrative Scope

4

© 2005 Ravi Sandhuwww.list.gmu.edu

Example Hierarchies

5

© 2005 Ravi Sandhuwww.list.gmu.edu

NotationImmediate children Immediate parents Minimal roles

Maximal roles

Junior roles Senior roles

6

© 2005 Ravi Sandhuwww.list.gmu.edu

Four Operations

7

© 2005 Ravi Sandhuwww.list.gmu.edu

Semantics of Edge Operations

8

© 2005 Ravi Sandhuwww.list.gmu.edu

Edge Insertion Anomaly

YNN

NNY

AddEdge(DSO,PE1,QE1) Y

9

© 2005 Ravi Sandhuwww.list.gmu.edu

Administrative Scope

10

© 2005 Ravi Sandhuwww.list.gmu.edu

Evolving Administrative Scope

Dynamic administrative scopeVersusStatic can-modify

11

© 2005 Ravi Sandhuwww.list.gmu.edu

Administrative Scoper is an immediate child of r’

12

© 2005 Ravi Sandhuwww.list.gmu.edu

RHA Conditions for Four Operations

• These conditions always apply• RHA1

• Additional conditions may be imposed• RHA2, RHA3, RHA4

13

© 2005 Ravi Sandhuwww.list.gmu.edu

RHA1

• Regular roles are also administrative roles

• A role administers roles in its administrative scope

• No further conditions

• Too permissive• ED administers E

14

© 2005 Ravi Sandhuwww.list.gmu.edu

RHA2

• RHA1 plus

• Only roles explicitly designated as administrators can administer• Say DIR, PL1, PL2 but not ED and the others

15

© 2005 Ravi Sandhuwww.list.gmu.edu

RHA3

16

© 2005 Ravi Sandhuwww.list.gmu.edu

RHA3