1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad...
-
Upload
amelia-dean -
Category
Documents
-
view
213 -
download
1
Transcript of 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad...
![Page 1: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/1.jpg)
1ACSAC 2002 © Mohammad al-Kahtani 2002
A Model for Attribute-Based User-Role Assignment
Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net, Inc. & [email protected] George Mason University
![Page 2: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/2.jpg)
2ACSAC 2002 © Mohammad al-Kahtani 2002
Presentation Roadmap
1. Introduction2. Problem Description3. Suggested Solution 4. Case Study 5. Expressing MAC
![Page 3: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/3.jpg)
3ACSAC 2002 © Mohammad al-Kahtani 2002
Introduction
• Role-Based Access Control (RBAC): A proven alternative to DAC and MAC
• RBAC basic components:1. Users2. Roles3. Permissions
![Page 4: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/4.jpg)
4ACSAC 2002 © Mohammad al-Kahtani 2002
Introduction
• Simplified RBAC Model
RoleHierarchy
Users
(UA) User
Assignment
(PA) Permission Assignment
RolesPermiss-ions
![Page 5: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/5.jpg)
5ACSAC 2002 © Mohammad al-Kahtani 2002
Presentation Roadmap
1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC
![Page 6: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/6.jpg)
6ACSAC 2002 © Mohammad al-Kahtani 2002
Problem Description
• In RBAC, user-to-role assignment is done manually
• Many enterprises have huge customer bases: Banks Utilities companies Popular web sties
• Manual assignment becomes a formidable task
![Page 7: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/7.jpg)
7ACSAC 2002 © Mohammad al-Kahtani 2002
Presentation Roadmap
1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC
![Page 8: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/8.jpg)
8ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Modify RBAC to allow automatic user-role assignment
Introducing Authorization Rules
• Authorization rule structure:
Constraints
AttributesExpression
Roles
![Page 9: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/9.jpg)
9ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Rule-Based RBAC (RB-RBAC)
AttributesExpressions
Users
Roles
Permissions
Constraints
Attributesvalues
![Page 10: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/10.jpg)
10ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Attributes Values:
1. Stored locally
2. Provided by users
3. Other means
AttributesExpressions
Users
Roles
Permissions
Constraints
Attributesvalues
![Page 11: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/11.jpg)
11ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Attributes Expressions:
1. Expressed in RB-RBAC language
2. Constitute LHS of authorization rules
• RB-RBAC production rules are in BNF notation.
AttributesExpressions
Users
Roles
Permissions
Constraints
Attributesvalues
![Page 12: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/12.jpg)
12ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Constraints:
Future work
AttributesExpressions
Users
Roles
Permissions
Constraints
Attributesvalues
![Page 13: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/13.jpg)
13ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Seniority Levels Relations among authorization rules
• Rule i:
• Rule j:
Rulei is senior to Rulej
AttributesExpression
Roles
AttributesExpression
Roles
Logically implies
![Page 14: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/14.jpg)
14ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Seniority Levels Anomalies
1. Redundancy
Rule i is senior to Rule j
Rule i
Rule j
Role 1
Role 1 & Role 2
![Page 15: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/15.jpg)
15ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Seniority Levels anomalies
1. Redundancy
Rule i is senior to Rule j
Rule i
Rule j
Role 1
Role 2
Role 1 is senior to Role 2
![Page 16: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/16.jpg)
16ACSAC 2002 © Mohammad al-Kahtani 2002
Suggested Solution
• Seniority Levels anomalies
2. Inconsistency
Rule i is senior to Rule j
Rule i
Rule j
Role 1
Role 2
Role 1 and 2 are mutually exclusive
![Page 17: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/17.jpg)
17ACSAC 2002 © Mohammad al-Kahtani 2002
Presentation Roadmap
1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC
![Page 18: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/18.jpg)
18ACSAC 2002 © Mohammad al-Kahtani 2002
Case Study
• Online Entertainment Store
• Suggested rating system
• Attributes Age Country
Rating Levels Roles
Strict Child
Less Strict Juvenile
Liberal Adolescent
Graphic Adult
![Page 19: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/19.jpg)
19ACSAC 2002 © Mohammad al-Kahtani 2002
Case Study
• Attributes: Age
1. Rule 1:: (Age 3) Child2. Rule 2:: (Age 11) Juvenile3. Rule 3:: (Age 16) Adolescent
4. Rule 4:: (Age 18) Adult
Age Role
3 Child
11 Juvenile
16 Adolescent
18 Adult
![Page 20: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/20.jpg)
20ACSAC 2002 © Mohammad al-Kahtani 2002
Case Study
• Attributes: Country
1. Rule 1:: (Country IN {A..Z}) Juvenile 2. Rule 2:: (Country IN {{A..Z} – {Saudi, Sudan}}) Adolescent 3. Rule 3:: (Country IN {{A..Z} – {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}}) Adult
Country Role
Country in {A..Z} Juvenile
Country in {{A..Z} – {Saudi, Sudan}}
Adolescent
Country in {{A..Z}
– {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}}
Adult
![Page 21: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/21.jpg)
21ACSAC 2002 © Mohammad al-Kahtani 2002
Case Study
• Authorization rules for the 2 attributes:
1. Rule 1:: (Age 3) AND (country IN {A..Z}) Child 2. Rule 2:: (Age 11) AND (country IN {A..Z}) Juvenile3. Rule 3:: (Age 16) AND (country IN {{A..Z} – {Saudi, Sudan}}) Adolescent4. Rule 4:: (Age 18) AND (Country IN {{A..Z} – {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore }}) Adult
![Page 22: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/22.jpg)
22ACSAC 2002 © Mohammad al-Kahtani 2002
Presentation Roadmap
1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC
![Page 23: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/23.jpg)
23ACSAC 2002 © Mohammad al-Kahtani 2002
Expressing MAC
Adult
Adolescent
Juvenile
Child
Adult Write(AW)
Adolescent Write(DW)
Juvenile Write(JW)
Child Write(CW)
Security Lattice
Role Hierarchies
Adolescent Read (DR)
Juvenile Read (JR)
Child Read (CR)
Adult Read (AR)
![Page 24: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,](https://reader036.fdocuments.us/reader036/viewer/2022070305/55146370550346414e8b5a3c/html5/thumbnails/24.jpg)
24ACSAC 2002 © Mohammad al-Kahtani 2002
Expressing MAC
Authorization Rules:
Rule 1:: (Age 3) AND (country IN {A..Z}) CR AND CW
Rule 2:: (Age 11) AND (country IN {A..Z}) JR AND JW
Rule 3:: (Age 16) AND (country IN {{A..Z} – {Saudi, Sudan}})
DR AND DW
Rule 4:: (Age 18) AND (Country IN {{A..Z} –{China, India,
Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}})
AR AND AW